🐛 [bug] - OpenMetaData integrate with OIDC/OAUTH2/Keycloak

opendatahub-io-contrib / data-mesh-pattern

Data Mesh Pattern

https://opendatahub-io-contrib.github.io/data-mesh-pattern

Apache License 2.0

28 stars 15 forks source link

🐛 [bug] - OpenMetaData integrate with OIDC/OAUTH2/Keycloak #48

Closed eformat closed 1 year ago

eformat commented 1 year ago

📝 Description

OpenMetadata needs integrating with Keycloak login

eformat commented 1 year ago

WIP - https://github.com/opendatahub-io-contrib/data-mesh-pattern/compare/main...eformat:data-mesh-pattern:openmetadata-keycloak

Still needs:

logout redirect added

Organization / Roles (this could be a separate issue) as need to figure out how groups/orgs work.

For this change, adding a default for Admins that match IPA setup i.e.:

AUTHORIZER_ADMIN_PRINCIPALS="[user1,user2,user3,user4]" \ AUTHORIZER_PRINCIPAL_DOMAIN="redhatlabs.dev" \

eformat commented 1 year ago

hmm .. seems there is no way to configure a backchannel logout url (to call keycloak) and the openmetadata example uses frontchannel logout that does not seem to work with keycloak (at least the session is still active in KC)

https://github.com/open-metadata/openmetadata-demo/blob/main/keycloak-sso/config/data-sec.json#L558

will raise as separate issue, as login working ok and admin setting ok