RDM 13.0.0 Upgrade Notes
Migrate configurations from xml’s to `application.properties file
RDM Web Application has been moved to Spring Boot.
This means the configuration is now defined by the application.properties file.
If you are upgrading and want to maintain current configuration, it is necessary to manually migrate your settings from the existing .xml files to application.properties.
| New property name | Previously defined in web.xml parameter |
|---|---|
|
appServer |
|
modelRepo |
|
appServer |
|
licenseFolder |
| New property name | Previously defined in context.xml parameter |
|---|---|
|
Resource |
|
" |
|
" |
|
" |
|
" |
| New property name | Previously defined in staticconfig.xml parameter |
|---|---|
|
configurationLoader |
Changes to validators.xml
You previously needed to provide the URL for every RDM validator class as defined in validators.xml.
The property ataccama.one.rdm.server.url now provides this value and you only need to define it once, in application.properties.
User and password are also no longer defined in validators.xml.
In validators.xml this change looks as follows:
<validator class="com.ataccama.rdm.manager.validations.RdmDqcOnlineValidator" moreRows="true" name="branch" soapAction="branch" soapEnvNamespace="http://www.ataccama.com/ws/rdm/" url="http://localhost:8061/rdm/validate/branch" soapVersion="SOAP_1_1" username="admin" password="crypted:AES:XElulODX5UBo+fViggrnzPpzHd88+HHaqGgn1xVhKgk="/><validator class="com.ataccama.rdm.manager.validations.RdmDqcOnlineValidator" moreRows="true" name="branch" soapAction="branch" soapEnvNamespace="http://www.ataccama.com/ws/rdm/" url="/rdm/validate/branch" soapVersion="SOAP_1_1"/>Enable HTTPS
Prerequisites: Keystore and certificate.
The procedure for enabling HTTPS is now via application.properties.
To enable, first check the port defined in application.properties, the property server.port contains the correct RDM application server port.
Edit if necessary.
Next, enable HTTPS by adding the following properties:
| Property | Description |
|---|---|
|
Type of keystore used, for example, |
|
File path to the keystore.
Classpath resources can also be specified, by using the classpath prefix: |
|
Password of the keystore. |
|
The alias under which the key is stored in the keystore. |
|
Define whether SSL is required or not. |
Keycloak changes
Keycloak is now the only Identity and Access Management tool available for the RDM web application. Furthermore, all user-role mapping must be carried out in Keycloak according to the instructions found in Mapping Roles and Users, and can no longer be done within the web application.
The roles available in the Ataccamaone Keycloak realm have changed.
New configuration can be found in the ataccamaone.json file.
ataccamaone.json: Click here to expand
{
"roles": {
"realm": [
{
"name": "default",
"description": "Default role for MMM Core allows to see users in Keycloak",
"composites": {
"realm": [
"MMM_user",
"RDM_user",
"MDM_user",
"DQIT_user"
]
}
},
{
"name": "admin",
"description": "Admin role able to administer all applications",
"composites": {
"realm": [
"MMM_admin",
"DPP_admin",
"RDM_admin",
"DQIT_admin",
"DQIT_supervisor",
"MDM_admin",
"CS_admin"
]
}
},
{
"name": "MMM_admin",
"description": "Has access to everything and can do everything"
},
{
"name": "MMM_read-only",
"description": "Has access to everything but cannot do anything"
},
{
"name": "MMM_application-admin",
"description": "Can change configuration but have limited access outside configuration; it is superset of MMM_user"
},
{
"name": "MMM_user",
"description": "Has access to everything needed for the application to work correctly"
},
{
"name": "MMM_data-manager",
"description": "Works mainly with catalog and related entities (data sources, rule library, components, lookups)",
"composites": {
"realm": [
"MMM_user"
]
}
},
{
"name": "MMM_metadata-manager",
"description": "Manages metadata",
"composites": {
"realm": [
"MMM_user"
]
}
},
{
"name": "MMM_data-analyst",
"description": "Accesses catalog, glossary and rule library",
"composites": {
"realm": [
"MMM_user"
]
}
},
{
"name": "MMM_dq-specialist",
"description": "Works with monitoring projects and related entities (rule library, components, lookups)",
"composites": {
"realm": [
"MMM_user"
]
}
},
{
"name": "MMM_data-governor",
"description": "Defines policies and regulations",
"composites": {
"realm": [
"MMM_user"
]
}
},
{
"name": "MMM_export",
"description": "Can export all mmm data from application",
"composites": {
"realm": [
"MMM_user"
]
}
},
{
"name": "ONE_PLATFORM_MONITORING",
"description": "Role providing access to Prometheus"
},
{
"name": "RDM",
"description": "RDM role needed to log in"
},
{
"name": "RDM_user",
"description": "RDM Common User",
"composites": {
"realm": [
"RDM"
]
}
},
{
"name": "RDM_admin",
"description": "RDM Administrator (can access Admin Console)",
"composites": {
"realm": [
"RDM"
]
}
},
{
"name": "MDM_viewer",
"description": "MDM Viewer (only browsing)"
},
{
"name": "MDM_user",
"description": "MDM Common User (editor)"
},
{
"name": "MDM_admin",
"description": "MDM Administrator (can do everything)"
},
{
"name": "DPP_admin",
"description": "Admin role for DPP grants access to DPM console and monitoring endpoints"
},
{
"name": "DQIT_admin",
"description": "DQIT Administrator"
},
{
"name": "DQIT_supervisor",
"description": "DQIT Supervisor"
},
{
"name": "DQIT_user",
"description": "DQIT User"
},
{
"name": "CS_admin",
"description": "Admin role for Configuration Service"
}
]
},
"users": [
{
"username": "admin",
"enabled": true,
"attributes": {
"mdm_workflow": [
"consolidation"
]
},
"credentials": [
{
"type": "password",
"value": "admin"
}
],
"realmRoles": [
"default",
"admin",
"MMM_export"
]
},
{
"username": "monitoring",
"enabled": true,
"credentials": [
{
"type": "password",
"value": "monitoring"
}
],
"realmRoles": [
"ONE_PLATFORM_MONITORING"
]
},
{
"username": "service-account-mmm-admin-client",
"enabled": true,
"totp": false,
"emailVerified": false,
"email": "service-account-mmm-admin-client@ataccama.com",
"serviceAccountClientId": "mmm-admin-client",
"credentials": [],
"disableableCredentialTypes": [],
"requiredActions": [],
"realmRoles": [
"offline_access"
],
"clientRoles": {
"realm-management": [
"impersonation",
"view-realm",
"manage-users",
"view-users",
"manage-realm"
],
"account": [
"view-profile",
"manage-account"
]
},
"notBefore": 0,
"groups": []
},
{
"username": "service-account-rdm-admin-client",
"enabled": true,
"totp": false,
"emailVerified": false,
"email": "service-account-rdm-admin-client@ataccama.com",
"serviceAccountClientId": "rdm-admin-client",
"credentials": [],
"disableableCredentialTypes": [],
"requiredActions": [],
"realmRoles": [
"offline_access"
],
"clientRoles": {
"realm-management": [
"impersonation",
"view-realm",
"manage-users",
"view-users",
"manage-realm"
],
"account": [
"view-profile",
"manage-account"
]
},
"notBefore": 0,
"groups": []
},
{
"username": "service-account-mdm-admin-client",
"enabled": true,
"totp": false,
"emailVerified": false,
"email": "service-account-mdm-admin-client@ataccama.com",
"serviceAccountClientId": "mdm-admin-client",
"credentials": [],
"disableableCredentialTypes": [],
"requiredActions": [],
"realmRoles": [
"offline_access"
],
"clientRoles": {
"realm-management": [
"impersonation",
"view-realm",
"manage-users",
"view-users",
"manage-realm"
],
"account": [
"view-profile",
"manage-account"
]
},
"notBefore": 0,
"groups": []
},
{
"username": "service-account-dpe-admin-client",
"enabled": true,
"totp": false,
"emailVerified": false,
"email": "service-account-dpe-admin-client@ataccama.com",
"serviceAccountClientId": "dpe-admin-client",
"credentials": [],
"disableableCredentialTypes": [],
"requiredActions": [],
"realmRoles": [
"offline_access"
],
"clientRoles": {
"realm-management": [
"impersonation",
"view-realm",
"manage-users",
"view-users",
"manage-realm"
],
"account": [
"view-profile",
"manage-account"
]
},
"notBefore": 0,
"groups": []
},
{
"username": "service-account-dqit-admin-client",
"enabled": true,
"totp": false,
"emailVerified": false,
"email": "service-account-dqit-admin-client@ataccama.com",
"serviceAccountClientId": "dqit-admin-client",
"credentials": [],
"disableableCredentialTypes": [],
"requiredActions": [],
"realmRoles": [
"offline_access"
],
"clientRoles": {
"realm-management": [
"impersonation",
"view-realm",
"manage-users",
"view-users",
"manage-realm"
],
"account": [
"view-profile",
"manage-account"
]
},
"notBefore": 0,
"groups": []
}
],
"clients": [
{
"clientId": "mmm-admin-client",
"standardFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": true,
"publicClient": false,
"enabled": true,
"secret": "mmm-admin-client-s3cret",
"protocol": "openid-connect"
},
{
"clientId": "rdm-admin-client",
"standardFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": true,
"publicClient": false,
"enabled": true,
"secret": "rdm-admin-client-s3cret",
"protocol": "openid-connect"
},
{
"clientId": "mdm-admin-client",
"standardFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": true,
"publicClient": false,
"enabled": true,
"secret": "mdm-admin-client-s3cret",
"protocol": "openid-connect"
},
{
"clientId": "dpe-admin-client",
"standardFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": true,
"publicClient": false,
"enabled": true,
"secret": "dpe-admin-client-s3cret",
"protocol": "openid-connect"
},
{
"clientId": "dqit-admin-client",
"standardFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": true,
"publicClient": false,
"enabled": true,
"secret": "dqit-admin-client-s3cret",
"protocol": "openid-connect"
},
{
"clientId": "mdm-token-client",
"bearerOnly": false,
"publicClient": false,
"standardFlowEnabled": true,
"directAccessGrantsEnabled": true,
"enabled": true,
"secret": "mdm-token-client-s3cret",
"redirectUris": [
"*"
],
"webOrigins": [
""
],
"protocol": "openid-connect"
},
{
"clientId": "rdm-token-client",
"bearerOnly": false,
"publicClient": false,
"standardFlowEnabled": true,
"directAccessGrantsEnabled": true,
"enabled": true,
"secret": "rdm-token-client-s3cret",
"redirectUris": [
"*"
],
"webOrigins": [
""
],
"protocol": "openid-connect"
},
{
"clientId": "mmm-token-client",
"bearerOnly": false,
"publicClient": false,
"standardFlowEnabled": false,
"directAccessGrantsEnabled": true,
"enabled": true,
"secret": "mmm-token-client-s3cret",
"redirectUris": [
"*"
],
"webOrigins": [
""
],
"protocol": "openid-connect"
},
{
"clientId": "dpm-token-client",
"bearerOnly": false,
"publicClient": false,
"standardFlowEnabled": false,
"directAccessGrantsEnabled": true,
"enabled": true,
"secret": "dpm-token-client-s3cret",
"redirectUris": [
"*"
],
"webOrigins": [
""
],
"protocol": "openid-connect"
},
{
"clientId": "dpe-token-client",
"bearerOnly": false,
"publicClient": false,
"standardFlowEnabled": false,
"directAccessGrantsEnabled": true,
"enabled": true,
"secret": "dpe-token-client-s3cret",
"redirectUris": [
"*"
],
"webOrigins": [
""
],
"protocol": "openid-connect"
},
{
"clientId": "ai-core-token-client",
"bearerOnly": false,
"publicClient": false,
"standardFlowEnabled": false,
"directAccessGrantsEnabled": true,
"enabled": true,
"secret": "ai-core-token-client-s3cret",
"redirectUris": [
"*"
],
"webOrigins": [
""
],
"protocol": "openid-connect"
},
{
"clientId": "cs-token-client",
"bearerOnly": false,
"publicClient": false,
"standardFlowEnabled": false,
"directAccessGrantsEnabled": true,
"enabled": true,
"secret": "cs-token-client-s3cret",
"redirectUris": [
"*"
],
"webOrigins": [
""
],
"protocol": "openid-connect"
},
{
"clientId": "dqit-steps-token-client",
"bearerOnly": false,
"publicClient": false,
"directAccessGrantsEnabled": true,
"standardFlowEnabled": false,
"enabled": true,
"secret": "dqit-steps-token-client-s3cret",
"adminUrl": "http://localhost:8081/dqit/remote",
"baseUrl": "http://localhost:8081/dqit/remote",
"redirectUris": [
"http://localhost:8081/dqit/remote/*"
],
"webOrigins": [
""
],
"protocol": "openid-connect"
},
{
"clientId": "dqit-webapp-token-client",
"adminUrl": "http://localhost:8081/dqit",
"baseUrl": "http://localhost:8081/dqit",
"enabled": true,
"secret": "dqit-webapp-token-client-s3cret",
"redirectUris": [
"*"
],
"webOrigins": [
""
],
"bearerOnly": false,
"publicClient": false,
"protocol": "openid-connect",
"directAccessGrantsEnabled": true
},
{
"clientId": "one-desktop-public-client",
"name": "Desktop Auth Client",
"enabled": true,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": false,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": true,
"frontchannelLogout": false,
"protocol": "openid-connect"
},
{
"clientId": "one-webapp-token-client",
"bearerOnly": false,
"publicClient": false,
"standardFlowEnabled": false,
"directAccessGrantsEnabled": true,
"enabled": true,
"secret": "one-webapp-token-client-s3cret",
"redirectUris": [
"*"
],
"webOrigins": [
""
],
"protocol": "openid-connect"
},
{
"clientId": "one-webapp-public-client",
"name": "Browser Auth Client",
"enabled": true,
"redirectUris": [
"*"
],
"webOrigins": [
"*"
],
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"publicClient": true,
"frontchannelLogout": false,
"protocol": "openid-connect"
},
{
"clientId": "rdm-webapp-public-client",
"name": "RDM Webapp Auth Client",
"enabled": true,
"redirectUris": [
"*"
],
"webOrigins": [
"*"
],
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"publicClient": true,
"frontchannelLogout": false,
"protocol": "openid-connect"
},
{
"clientId": "mdm-webapp-public-client",
"name": "MDM Webapp Auth Client",
"enabled": true,
"redirectUris": [
"*"
],
"webOrigins": [
"*"
],
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"publicClient": true,
"frontchannelLogout": false,
"protocol": "openid-connect"
},
{
"clientId": "cs-webapp-public-client",
"name": "Configuration Service Auth Client",
"enabled": true,
"redirectUris": [
"*"
],
"webOrigins": [
"*"
],
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"publicClient": true,
"frontchannelLogout": false,
"protocol": "openid-connect"
},
{
"clientId": "dpm-webapp-public-client",
"name": "DPM Admin Console Auth Client",
"enabled": true,
"redirectUris": [
"*"
],
"webOrigins": [
"*"
],
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"publicClient": true,
"frontchannelLogout": false,
"protocol": "openid-connect"
}
],
"defaultRoles": [
"default"
],
"realm": "ataccamaone",
"displayName": "Ataccama | ONE",
"sslRequired": "none",
"enabled": true,
"loginTheme": "ataccamaone"
}The default users for RDM are:
-
RDM_user(editing permissions) -
RDM_admin(admin permissions)
As Keycloak can simultaneously manage roles and users for web applications of multiple Ataccama products, roles in Keycloak are automatically mapped to a specific Ataccama web application using the role prefix defined for the application.
For this reason, Keycloak roles for RDM must now have the prefix RDM_.
|
Roles without a prefix are intended to be composite roles which consist of prefixed roles (it describes what roles should apply in each module).
For example, For more information about composite roles, see Keycloak official documentation. |
| If Keycloak is not deployed as a service, service account roles associated with the RDM Admin client must be added manually as they are not created automatically. If these roles are missing, you might have issues accessing the RDM Admin console. |
|
Due to configuration changes in Admin Console, it no longer allows access to the role This means the role defined in this property has access to both permissions tab and Admin Console and there is currently no role that has access to only the Permissions tab, as previous For more information, see Manage Users and Roles. |
Edit the following client adapter files, so that RDM connects to Keycloak properly:
-
application.properties-
On the web application server.
-
In the project configuration
Files/etcdirectory.Name Default value Mandatory Description ataccama.authentication.keycloak.server-urlhttp://localhost:8083/authYes
Keycloak server URL. Ending with
/auth.ataccama.authentication.keycloak.realmataccamaone
Yes
Keycloak realm.
ataccama.authentication.keycloak.admin.client-idYes
Administration Keycloak client ID.
ataccama.authentication.keycloak.admin.secretYes
Administration Keycloak client secret.
ataccama.authentication.keycloak.token.client-idYes
Token Keycloak client ID.
ataccama.authentication.keycloak.token.secretYes
Token Keycloak client secret.
ataccama.authentication.keycloak.token.issuerYes
Token Keycloak issuer.
ataccama.authentication.keycloak.public.client-idYes
Keycloak public client ID for web application browsing.
ataccama.client.connection.keycloak.http.enabledTRUE
Yes
ataccama.client.connection.keycloak.http.tls.enabledFALSE
Yes
-
Was this page useful?