-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Azure Token Base Authentication (#18387)
* Add azure token based auth * Add Azure Token Base Authentication * Update azure-auth.md * Update azure-auth.md * feat: Add `azure-identity-extensions` library for passwordless database connection --------- Co-authored-by: Ayush Shah <ayush@getcollate.io> Co-authored-by: Akash-Jain <15995028+akash-jain-10@users.noreply.github.com>
- Loading branch information
1 parent
d59e58a
commit 582090b
Showing
14 changed files
with
245 additions
and
69 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
--- | ||
title: How to enable Azure Auth | ||
slug: /deployment/azure-auth | ||
collate: false | ||
--- | ||
|
||
# AZURE resources on Postgres/MySQL Auth | ||
https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-extensions#how-to-use-postgresql-extensions | ||
# Requirements | ||
|
||
1. Azure Postgres or MySQL Cluster with auth enabled | ||
2. User on DB Cluster with authentication enabled | ||
|
||
# How to enable Azure Auth on postgresql | ||
|
||
Set the environment variables | ||
|
||
```Commandline | ||
DB_PARAMS="azure=true&allowPublicKeyRetrieval=true&sslmode=require&serverTimezone=UTC" | ||
DB_USER_PASSWORD=none | ||
``` | ||
|
||
Either through helm (if deployed in kubernetes) or as env vars. | ||
|
||
{% note %} | ||
|
||
The `DB_USER_PASSWORD` is still required and cannot be empty. Set it to a random/dummy string. | ||
|
||
{% /note %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 29 additions & 0 deletions
29
openmetadata-docs/content/v1.6.x-SNAPSHOT/deployment/azure-auth.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
--- | ||
title: How to enable Azure Auth | ||
slug: /deployment/azure-auth | ||
collate: false | ||
--- | ||
|
||
# AZURE resources on Postgres/MySQL Auth | ||
https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-extensions#how-to-use-postgresql-extensions | ||
# Requirements | ||
|
||
1. Azure Postgres or MySQL Cluster with auth enabled | ||
2. User on DB Cluster with authentication enabled | ||
|
||
# How to enable Azure Auth on postgresql | ||
|
||
Set the environment variables | ||
|
||
```Commandline | ||
DB_PARAMS="azure=true&allowPublicKeyRetrieval=true&sslmode=require&serverTimezone=UTC" | ||
DB_USER_PASSWORD=none | ||
``` | ||
|
||
Either through helm (if deployed in kubernetes) or as env vars. | ||
|
||
{% note %} | ||
|
||
The `DB_USER_PASSWORD` is still required and cannot be empty. Set it to a random/dummy string. | ||
|
||
{% /note %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
28 changes: 28 additions & 0 deletions
28
openmetadata-service/src/main/java/org/openmetadata/service/util/AzureTokenProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
package org.openmetadata.service.util; | ||
|
||
import com.microsoft.aad.msal4j.*; | ||
import java.net.MalformedURLException; | ||
import java.util.Set; | ||
|
||
public class AzureTokenProvider { | ||
|
||
private static final String CLIENT_ID = "your-client-id"; // From Azure AD App Registration | ||
private static final String TENANT_ID = "your-tenant-id"; // Your Azure AD tenant ID | ||
private static final String CLIENT_SECRET = "your-client-secret"; // Generated in App Registration | ||
private static final String SCOPE = | ||
"https://ossrdbms-aad.database.windows.net/.default"; // Scope for PostgreSQL | ||
|
||
public static String getAccessToken() throws MalformedURLException { | ||
ConfidentialClientApplication app = | ||
ConfidentialClientApplication.builder( | ||
CLIENT_ID, ClientCredentialFactory.createFromSecret(CLIENT_SECRET)) | ||
.authority("https://login.microsoftonline.com/" + TENANT_ID) // Azure AD authority | ||
.build(); | ||
|
||
Set<String> scopes = Set.of(SCOPE); | ||
ClientCredentialParameters parameters = ClientCredentialParameters.builder(scopes).build(); | ||
IAuthenticationResult result = app.acquireToken(parameters).join(); // Get the token | ||
|
||
return result.accessToken(); // Return the access token | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
36 changes: 36 additions & 0 deletions
36
...src/main/java/org/openmetadata/service/util/jdbi/AzureDatabaseAuthenticationProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
package org.openmetadata.service.util.jdbi; | ||
|
||
import com.azure.core.credential.AccessToken; | ||
import com.azure.core.credential.TokenRequestContext; | ||
import com.azure.identity.DefaultAzureCredential; | ||
import com.azure.identity.DefaultAzureCredentialBuilder; | ||
|
||
public class AzureDatabaseAuthenticationProvider implements DatabaseAuthenticationProvider { | ||
public static final String AZURE = "azure"; | ||
|
||
@Override | ||
public String authenticate(String jdbcUrl, String username, String password) { | ||
try { | ||
return fetchAzureADToken(); | ||
} catch (Exception e) { | ||
throw new DatabaseAuthenticationProviderException(e); | ||
} | ||
} | ||
|
||
private String fetchAzureADToken() { | ||
try { | ||
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder().build(); | ||
TokenRequestContext requestContext = | ||
new TokenRequestContext().addScopes("https://ossrdbms-aad.database.windows.net/.default"); | ||
AccessToken token = defaultCredential.getToken(requestContext).block(); | ||
|
||
if (token != null) { | ||
return token.getToken(); | ||
} else { | ||
throw new DatabaseAuthenticationProviderException("Failed to fetch token"); | ||
} | ||
} catch (Exception e) { | ||
throw new DatabaseAuthenticationProviderException("Error fetching Azure AD token", e); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.