Hi, I loaded the Postman example for the OpenAPI in Postman - when testing I do get the error '401 - Unauthorized'. How to fix this?

good morning, how do I enable token based authentication in DataHub? currently that part of UI is disabled. Is there a config to enable that?

Hey y'all, wondering if anyone has deployed DH behind an authentication proxy before that does the entire auth flow but then provides a signed JWT to DH for Authn/z after the full auth flow has been completed?

Hello everyone! I am looking into the authentication and authorization topic and got several questions. So far as I understand, frontend authentication can be performed with OIDC and Azure AD, and in order to do that we need to register DataHub application in the MS Azure portal and then run the Azure AD source plugin. Is this correct? Then, for authorization roles and policies are used which can be assigned to users and groups. It is still not possible to assign DataHub roles based on Azure roles (https://datahubproject.io/docs/authorization/roles#whats-coming-next) but is it possible to assign roles/policies to Azure groups? That is not clear from the docs.

X-posting, fingers crossed someone here has any thoughts, https://datahubspace.slack.com/archives/C029A3M079U/p1668099985693689

Hi! A couple of questions about authorization: I would like to define a policy such as: allow some users/groups to edit description for the datasets in a given data platform instance. This is somehow similar to this one: https://datahubproject.io/docs/authorization/policies#coming-soon

• Ability to define Metadata Policies against multiple reosurces scoped to particular “Containers” (e.g. A “schema”, “database”, or “collection”)

Just going higher in the hierarchy up to the platform instance level. In the current status, I was thinking on solving this with

resource_urn

criteria https://datahubproject.io/docs/authorization/policies#resources Does that criteria support other operators different from

EQUALS

such as starts with, contains or even regexp? Definitely in the UI this is not possible, is it possible via policy as code? Second question is about applying to owners.

Whether this policy should be apply to owners of the Metadata asset. If true, those who are marked as owners of a Metadata Asset, either directly or indirectly via a Group, will have the selected privileges.

Can this be restricted to some ownership in particular?

Hello team, somebody could help me?

PipelineInitError: Failed to configure the source (powerbi): Powerbi authorization failed . Please check your input configuration.

I have a some question for user and group authenticatetion I user a SSO with google login but i want to know 1.Can we scope some user for login such as my org have 5 people (a,b,c,d,e) but i want a and b to login c,d,e shouldn’t use datahub 2.Can we auto set group to a,b with a reader at first time login (Group not role)

Is there a way to get a session token from frontend auth? Ie, use a user/pw to obtain a token that I can use to query the graphql api? (unless I'm misunderstanding, I cannot use user/pass or cookies on graphql).

(or generate a user token)

Hello everyone! Is there a way to generate the Datahub Personal Access Token programmatically?

Hi everyone, Unauthorisation issues with setting up PAT for root datahub super user. Following this guide here: https://github.com/acryldata/datahub-helm/blob/master/README.md I’ve deployed data hub on an eks cluster. My first challenge was to generate a PAT to be used by another downstream process. Following this guide: https://datahubproject.io/docs/api/graphql/token-management#generating-access-tokens (thanks to @witty-butcher-82399 for pointing this out) I tested the example query provided, using data hub’s graphQL explorer and this works fine. However when I attempt this curl equivalent:

curl -X POST '<http://localhost:9002/api/graphql>' \  
--header 'X-DataHub-Actor: urn:li:corpuser:datahub' \
--header 'Content-Type: application/json' \
--data-raw '{ "query":"mutation { createAccessToken(input: { type: PERSONAL, actorUrn: \"urn:li:corpuser:datahub\", duration: ONE_HOUR, name: \"dt token\" } ) { accessToken metadata { id name description} } }", "variables":{}}'

The token does not get created. Via postman, and the response is a 401 Unauthorized. Which has me wondering, from the PAT guide it is stated that the User must have the Generate Personal Access Tokens or Manage All Access Tokens. Which is present for the datahub superuser[see screen shot] But I’m still getting the 401 response. My ultimate goal is to have a bash script that runs after the datahub is deployed, which generates the PAT to be used by another downstream process. Is there anything I’m missing here please? Thanks for the help.

archived the channel