Documentation: Add SSL related modifications

openmetadata-docs/content/partials/v1.4/connectors/yaml/workflow-config-def.md

@@ -37,7 +37,7 @@ Framework at runtime, and won't be sent to the OpenMetadata server.
 
 If you have added SSL to the [OpenMetadata server](/deployment/security/enable-ssl), then you will need to handle
 the certificates when running the ingestion too. You can either set `verifySSL` to `ignore`, or have it as `validate`,
-which will require you to set the `sslConfig.certificatePath` with a local path where your ingestion runs that points
+which will require you to set the `sslConfig.caCertificate` with a local path where your ingestion runs that points
 to the server certificate file.
 
 Find more information on how to troubleshoot SSL issues [here](/deployment/security/enable-ssl/ssl-troubleshooting).

openmetadata-docs/content/partials/v1.4/connectors/yaml/workflow-config.md

@@ -14,5 +14,5 @@ workflowConfig:
     ## If SSL, fill the following
     # verifySSL: validate  # or ignore
     # sslConfig:
-    #   certificatePath: /local/path/to/certificate
+    #   caCertificate: /local/path/to/certificate
 ```

openmetadata-docs/content/v1.4.x/connectors/database/doris/index.md

@@ -49,8 +49,8 @@ serviceConnectionPath: "/images/v1.4/connectors/doris/service-connection.png",
 - **Host and Port**: Enter the fully qualified hostname and port number for your Doris deployment in the Host and Port field.
 - **databaseName**: Optional name to give to the database in OpenMetadata. If left blank, we will use default as the database name.
 - **databaseSchema**: databaseSchema of the data source. This is optional parameter, if you would like to restrict the metadata reading to a single databaseSchema. When left blank, OpenMetadata Ingestion attempts to scan all the databaseSchema.
-- **sslCA**: Provide the path to ssl ca file.
-- **sslCert**: Provide the path to ssl client certificate file (ssl_cert).
+- **caCertificate**: Provide the path to ssl ca file.
+- **sslCertificate**: Provide the path to ssl client certificate file (ssl_cert).
 - **sslKey**: Provide the path to ssl client certificate file (ssl_key).
 
 {% partial file="/v1.4/connectors/database/advanced-configuration.md" /%}

openmetadata-docs/content/v1.4.x/connectors/database/greenplum/index.md

@@ -110,6 +110,21 @@ Configure and schedule Greenplum metadata and profiler workflows from the OpenMe
     Find more information about [Source Identity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#:~:text=Required%3A%20No-,SourceIdentity,-The%20source%20identity).
 - **Host and Port**: Enter the fully qualified hostname and port number for your Greenplum deployment in the Host and Port field.
 
+
+**SSL Modes**
+
+There are a couple of types of SSL modes that Greenplum supports which can be added to ConnectionArguments, they are as follows:
+- **disable**: SSL is disabled and the connection is not encrypted.
+- **allow**: SSL is used if the server requires it.
+- **prefer**: SSL is used if the server supports it.
+- **require**: SSL is required.
+- **verify-ca**: SSL must be used and the server certificate must be verified.
+- **verify-full**: SSL must be used. The server certificate must be verified, and the server hostname must match the hostname attribute on the certificate.
+
+**SSL Configuration**
+
+In order to integrate SSL in the Metadata Ingestion Config, the user will have to add the SSL config under sslConfig which is placed in the source.
+
 {% partial file="/v1.4/connectors/database/advanced-configuration.md" /%}
 
 {% /extraContent %}

openmetadata-docs/content/v1.4.x/connectors/database/greenplum/yaml.md

@@ -182,6 +182,25 @@ Find more information about [Source Identity](https://docs.aws.amazon.com/STS/la
 
 {% /codeInfo %}
 
+{% codeInfo srNumber=9 %}
+
+The sslConfig and sslMode are used to configure the SSL (Secure Sockets Layer) connection between your application and the Greenplum server. Greenplum will require only rootCertificate i.e caCertificate.
+
+**caCertificate**: This is the path to the CA (Certificate Authority) certificate file. This file is used to verify the server’s certificate.
+
+**sslMode**: This field controls whether a secure SSL/TLS connection will be negotiated with the server. There are several modes you can choose:
+
+disable: No SSL/TLS encryption will be used; the data sent over the network is not encrypted.
+allow: The driver will try to negotiate a non-SSL connection but if the server insists on SSL, it will switch to SSL.
+prefer (the default): The driver will try to negotiate an SSL connection but if the server does not support SSL, it will switch to a non-SSL connection.
+require: The driver will try to negotiate an SSL connection. If the server does not support SSL, the driver will not fall back to a non-SSL connection.
+verify-ca: The driver will negotiate an SSL connection and verify that the server certificate is issued by a trusted certificate authority (CA).
+verify-full: The driver will negotiate an SSL connection, verify that the server certificate is issued by a trusted CA and check that the server host name matches the one in the certificate.
+
+
+{% /codeInfo %}
+
+
 {% /codeInfoContainer %}
 
 {% codeBlock fileName="filename.yaml" %}
@@ -217,6 +236,11 @@ source:
 ```yaml {% srNumber=6 %}
       ingestAllDatabases: true
 ```
+```yaml {% srNumber=9 %}
+      # sslConfig:
+            # caCertificate: "path/to/ca/certificate"
+      # sslMode: disable #allow prefer require verify-ca verify-full
+```
 ```yaml {% srNumber=7 %}
       # connectionOptions:
       #   key: value

openmetadata-docs/content/v1.4.x/connectors/database/mysql/index.md

@@ -130,8 +130,8 @@ Executing the profiler workflow or data quality tests, will require the user to
 - **Host and Port**: Enter the fully qualified hostname and port number for your MySQL deployment in the Host and Port field.
 - **databaseName**: Optional name to give to the database in OpenMetadata. If left blank, we will use default as the database name.
 - **databaseSchema**: databaseSchema of the data source. This is optional parameter, if you would like to restrict the metadata reading to a single databaseSchema. When left blank, OpenMetadata Ingestion attempts to scan all the databaseSchema.
-- **sslCA**: Provide the path to ssl ca file.
-- **sslCert**: Provide the path to ssl client certificate file (ssl_cert).
+- **caCertificate**: Provide the path to ssl ca file.
+- **sslCertificate**: Provide the path to ssl client certificate file (ssl_cert).
 - **sslKey**: Provide the path to ssl client certificate file (ssl_key).
 
 {% partial file="/v1.4/connectors/database/advanced-configuration.md" /%}

openmetadata-docs/content/v1.4.x/connectors/database/pinotdb/index.md

@@ -44,8 +44,8 @@ Configure and schedule PinotDB metadata and profiler workflows from the OpenMeta
 - **Host and Port**: Enter the fully qualified hostname and port number for your PinotDB deployment in the Host and Port field.
 - **databaseName**: Optional name to give to the database in OpenMetadata. If left blank, we will use default as the database name.
 - **databaseSchema**: databaseSchema of the data source. This is optional parameter, if you would like to restrict the metadata reading to a single databaseSchema. When left blank, OpenMetadata Ingestion attempts to scan all the databaseSchema.
-- **sslCA**: Provide the path to ssl ca file.
-- **sslCert**: Provide the path to ssl client certificate file (ssl_cert).
+- **caCertificate**: Provide the path to ssl ca file.
+- **sslCertificate**: Provide the path to ssl client certificate file (ssl_cert).
 - **sslKey**: Provide the path to ssl client certificate file (ssl_key).
 
 {% partial file="/v1.4/connectors/database/advanced-configuration.md" /%}

openmetadata-docs/content/v1.4.x/connectors/database/postgres/index.md

@@ -132,6 +132,20 @@ GRANT pg_read_all_stats TO your_user;
     Find more information about [Source Identity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#:~:text=Required%3A%20No-,SourceIdentity,-The%20source%20identity).
 - **Host and Port**: Enter the fully qualified hostname and port number for your Postgres deployment in the Host and Port field.
 
+**SSL Modes**
+
+There are a couple of types of SSL modes that Postgres supports which can be added to ConnectionArguments, they are as follows:
+- **disable**: SSL is disabled and the connection is not encrypted.
+- **allow**: SSL is used if the server requires it.
+- **prefer**: SSL is used if the server supports it.
+- **require**: SSL is required.
+- **verify-ca**: SSL must be used and the server certificate must be verified.
+- **verify-full**: SSL must be used. The server certificate must be verified, and the server hostname must match the hostname attribute on the certificate.
+
+**SSL Configuration**
+
+In order to integrate SSL in the Metadata Ingestion Config, the user will have to add the SSL config under sslConfig which is placed in the source.
+
 {% partial file="/v1.4/connectors/database/advanced-configuration.md" /%}
 
 {% /extraContent %}

openmetadata-docs/content/v1.4.x/connectors/database/postgres/yaml.md

@@ -203,6 +203,24 @@ Find more information about [Source Identity](https://docs.aws.amazon.com/STS/la
 
 - In case you are using Single-Sign-On (SSO) for authentication, add the `authenticator` details in the Connection Arguments as a Key-Value pair as follows: `"authenticator" : "sso_login_url"`
 
+{% /codeInfo %}
+
+{% codeInfo srNumber=9 %}
+
+The sslConfig and sslMode are used to configure the SSL (Secure Sockets Layer) connection between your application and the PostgreSQL server. PostgreSQL will require only rootCertificate i.e caCertificate.
+
+**caCertificate**: This is the path to the CA (Certificate Authority) certificate file. This file is used to verify the server’s certificate.
+
+**sslMode**: This field controls whether a secure SSL/TLS connection will be negotiated with the server. There are several modes you can choose:
+
+disable: No SSL/TLS encryption will be used; the data sent over the network is not encrypted.
+allow: The driver will try to negotiate a non-SSL connection but if the server insists on SSL, it will switch to SSL.
+prefer (the default): The driver will try to negotiate an SSL connection but if the server does not support SSL, it will switch to a non-SSL connection.
+require: The driver will try to negotiate an SSL connection. If the server does not support SSL, the driver will not fall back to a non-SSL connection.
+verify-ca: The driver will negotiate an SSL connection and verify that the server certificate is issued by a trusted certificate authority (CA).
+verify-full: The driver will negotiate an SSL connection, verify that the server certificate is issued by a trusted CA and check that the server host name matches the one in the certificate.
+
+
 {% /codeInfo %}
 
 {% /codeInfoContainer %}
@@ -240,6 +258,12 @@ source:
 ```yaml {% srNumber=6 %}
       ingestAllDatabases: true
 ```
+```yaml {% srNumber=9 %}
+      # sslConfig:
+            # caCertificate: "path/to/ca/certificate"
+      # sslMode: disable #allow prefer require verify-ca verify-full
+```
+
 ```yaml {% srNumber=7 %}
       # connectionOptions:
       #   key: value

openmetadata-docs/content/v1.4.x/connectors/database/redshift/yaml.md

@@ -130,6 +130,25 @@ This is a sample config for Redshift:
 
 {% /codeInfoContainer %}
 
+
+{% codeInfo srNumber=9 %}
+
+The sslConfig and sslMode are used to configure the SSL (Secure Sockets Layer) connection between your application and the Redshift server. Redshift will require only rootCertificate i.e caCertificate.
+
+**caCertificate**: This is the path to the CA (Certificate Authority) certificate file. This file is used to verify the server’s certificate.
+
+**sslMode**: This field controls whether a secure SSL/TLS connection will be negotiated with the server. There are several modes you can choose:
+
+disable: No SSL/TLS encryption will be used; the data sent over the network is not encrypted.
+allow: The driver will try to negotiate a non-SSL connection but if the server insists on SSL, it will switch to SSL.
+prefer (the default): The driver will try to negotiate an SSL connection but if the server does not support SSL, it will switch to a non-SSL connection.
+require: The driver will try to negotiate an SSL connection. If the server does not support SSL, the driver will not fall back to a non-SSL connection.
+verify-ca: The driver will negotiate an SSL connection and verify that the server certificate is issued by a trusted certificate authority (CA).
+verify-full: The driver will negotiate an SSL connection, verify that the server certificate is issued by a trusted CA and check that the server host name matches the one in the certificate.
+
+
+{% /codeInfo %}
+
 {% codeBlock fileName="filename.yaml" %}
 
 ```yaml
@@ -155,6 +174,11 @@ source:
 ```yaml {% srNumber=5 %}
       # ingestAllDatabases: true
 ```
+```yaml {% srNumber=9 %}
+      # sslConfig:
+            # caCertificate: "path/to/ca/certificate"
+      # sslMode: disable #allow prefer require verify-ca verify-full
+```
 ```yaml {% srNumber=6 %}
       # connectionOptions:
       #   key: value

openmetadata-docs/content/v1.4.x/connectors/pipeline/openlineage/index.md

@@ -115,7 +115,9 @@ from metadata.generated.schema.entity.services.connections.pipeline.openLineageC
     SecurityProtocol as KafkaSecurityProtocol,
     ConsumerOffsets
 )
-
+from metadata.generated.schema.security.ssl.validateSSLClientConfig import (
+    ValidateSslClientConfig,
+)
 
 openlineage_service_request = CreatePipelineServiceRequest(
     name='openlineage-service',
@@ -131,9 +133,11 @@ openlineage_service_request = CreatePipelineServiceRequest(
             sessionTimeout=60,
             securityProtocol=KafkaSecurityProtocol.SSL,
             # below ssl confing in optional and used only when securityProtocol=KafkaSecurityProtocol.SSL
-            SSLCertificateLocation='/path/to/kafka/certs/Certificate.pem',
-            SSLKeyLocation='/path/to/kafka/certs/Key.pem',
-            SSLCALocation='/path/to/kafka/certs/RootCA.pem',
+            sslConfig=ValidateSslClientConfig(
+                sslCertificate='/path/to/kafka/certs/Certificate.pem',
+                sslKey='/path/to/kafka/certs/Key.pem',
+                caCertificate='/path/to/kafka/certs/RootCA.pem'
+                )
         )
     ),
 )
@@ -177,7 +181,9 @@ from metadata.generated.schema.entity.services.connections.pipeline.openLineageC
     SecurityProtocol as KafkaSecurityProtocol,
     ConsumerOffsets
 )
-
+from metadata.generated.schema.security.ssl.validateSSLClientConfig import (
+    ValidateSslClientConfig,
+)
 
 openlineage_service_request = CreatePipelineServiceRequest(
     name='openlineage-service',
@@ -193,9 +199,11 @@ openlineage_service_request = CreatePipelineServiceRequest(
             sessionTimeout=60,
             securityProtocol=KafkaSecurityProtocol.SSL,
             # below ssl confing in optional and used only when securityProtocol=KafkaSecurityProtocol.SSL
-            SSLCertificateLocation='/path/to/kafka/certs/Certificate.pem',
-            SSLKeyLocation='/path/to/kafka/certs/Key.pem',
-            SSLCALocation='/path/to/kafka/certs/RootCA.pem',
+            sslConfig=ValidateSslClientConfig(
+                sslCertificate='/path/to/kafka/certs/Certificate.pem',
+                sslKey='/path/to/kafka/certs/Key.pem',
+                caCertificate='/path/to/kafka/certs/RootCA.pem'
+                )
         )
     ),
 )
@@ -255,9 +263,11 @@ openlineage_service_request = CreatePipelineServiceRequest(
             sessionTimeout=60,
             securityProtocol=KafkaSecurityProtocol.SSL,
             # below ssl confing in optional and used only when securityProtocol=KafkaSecurityProtocol.SSL
-            SSLCertificateLocation='/path/to/kafka/certs/Certificate.pem',
-            SSLKeyLocation='/path/to/kafka/certs/Key.pem',
-            SSLCALocation='/path/to/kafka/certs/RootCA.pem',
+            sslConfig=ValidateSslClientConfig(
+                sslCertificate='/path/to/kafka/certs/Certificate.pem',
+                sslKey='/path/to/kafka/certs/Key.pem',
+                caCertificate='/path/to/kafka/certs/RootCA.pem'
+                )
         )
     ),
 )

openmetadata-docs/content/v1.4.x/deployment/ingestion/external/index.md

@@ -137,7 +137,7 @@ Follow the [docs](/deployment/secrets-manager) to configure the secret retrieval
 
 If you have added SSL to the [OpenMetadata server](/deployment/security/enable-ssl), then you will need to handle
 the certificates when running the ingestion too. You can either set `verifySSL` to `ignore`, or have it as `validate`,
-which will require you to set the `sslConfig.certificatePath` with a local path where your ingestion runs that points
+which will require you to set the `sslConfig.caCertificate` with a local path where your ingestion runs that points
 to the server certificate file.
 
 Find more information on how to troubleshoot SSL issues [here](/deployment/security/enable-ssl/ssl-troubleshooting).
@@ -158,7 +158,7 @@ workflowConfig:
     ## If SSL, fill the following
     # verifySSL: validate  # or ignore
     # sslConfig:
-    #   certificatePath: /local/path/to/certificate
+    #   caCertificate: /local/path/to/certificate
 ```
 
 ## 3. (Optional) Ingestion Pipeline

openmetadata-docs/content/v1.4.x/deployment/ingestion/openmetadata.md

@@ -80,8 +80,7 @@ pipelineServiceClientConfiguration:
   hostIp: ${PIPELINE_SERVICE_CLIENT_HOST_IP:-""}
   verifySSL: ${PIPELINE_SERVICE_CLIENT_VERIFY_SSL:-"no-ssl"} # Possible values are "no-ssl", "ignore", "validate"
   sslConfig:
-    validate:
-      certificatePath: ${PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH:-""} # Local path for the Pipeline Service Client
+    certificatePath: ${PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH:-""} # Local path for the Pipeline Service Client
 
   # Default required parameters for Airflow as Pipeline Service Client
   parameters:
@@ -232,8 +231,7 @@ pipelineServiceClientConfiguration:
   hostIp: ${PIPELINE_SERVICE_CLIENT_HOST_IP:-""}
   verifySSL: ${PIPELINE_SERVICE_CLIENT_VERIFY_SSL:-"no-ssl"} # Possible values are "no-ssl", "ignore", "validate"
   sslConfig:
-    validate:
-      certificatePath: ${PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH:-""} # Local path for the Pipeline Service Client
+    certificatePath: ${PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH:-""} # Local path for the Pipeline Service Client
 
   # Default required parameters for Airflow as Pipeline Service Client
   parameters:

openmetadata-docs/content/v1.4.x/deployment/security/enable-ssl/ssl-troubleshooting.md

@@ -69,8 +69,7 @@ Edit the `conf/openmetadata.yaml` file:
 pipelineServiceClientConfiguration:
   verifySSL: "validate"
   sslConfig:
-    validate:
-      certificatePath: "/path/to/certificate/in/airflow"
+    certificatePath: "/path/to/certificate/in/airflow"
 ```
 
 - In **K8s**:
@@ -129,7 +128,7 @@ workflowConfig:
   openMetadataServerConfig:
     verifySSL: validate
     sslConfig:
-      certificatePath: /local/path/to/certificate
+      caCertificate: /local/path/to/certificate
 ```
 
 - To ignore certificate validation:

openmetadata-docs/content/v1.4.x/developers/contribute/developing-a-new-connector/define-json-schema.md

@@ -215,20 +215,10 @@ On this connector we can see two different definitions:
       "description": "Database Schema of the data source. This is optional parameter, if you would like to restrict the metadata reading to a single schema. When left blank, OpenMetadata Ingestion attempts to scan all the schemas.",
       "type": "string"
     },
-    "sslCA": {
-      "title": "SSL CA",
-      "description": "Provide the path to ssl ca file",
-      "type": "string"
-    },
-    "sslCert": {
-      "title": "SSL Client Certificate File",
-      "description": "Provide the path to ssl client certificate file (ssl_cert)",
-      "type": "string"
-    },
-    "sslKey": {
-      "title": "SSL Client Key File",
-      "description": "Provide the path to ssl client certificate file (ssl_key)",
-      "type": "string"
+    "sslConfig": {
+      "title": "SSL",
+      "description": "SSL Configuration details.",
+      "$ref": "../../../../security/ssl/verifySSLConfig.json#/definitions/sslConfig"
     },
     "connectionOptions": {
       "title": "Connection Options",

openmetadata-docs/content/v1.4.x/main-concepts/metadata-standard/schemas/entity/services/connections/database/mysqlConnection.md

@@ -16,9 +16,7 @@ slug: /main-concepts/metadata-standard/schemas/entity/services/connections/datab
 - **`hostPort`** *(string)*: Host and port of the MySQL service.
 - **`databaseName`** *(string)*: Optional name to give to the database in OpenMetadata. If left blank, we will use default as the database name.
 - **`databaseSchema`** *(string)*: Database Schema of the data source. This is optional parameter, if you would like to restrict the metadata reading to a single schema. When left blank, OpenMetadata Ingestion attempts to scan all the schemas.
-- **`sslCA`** *(string)*: Provide the path to ssl ca file.
-- **`sslCert`** *(string)*: Provide the path to ssl client certificate file (ssl_cert).
-- **`sslKey`** *(string)*: Provide the path to ssl client certificate file (ssl_key).
+- **`sslConfig`** *(string)*: Provide the config for SSL.
 - **`connectionOptions`**: Refer to *../connectionBasicType.json#/definitions/connectionOptions*.
 - **`connectionArguments`**: Refer to *../connectionBasicType.json#/definitions/connectionArguments*.
 - **`supportsMetadataExtraction`**: Refer to *../connectionBasicType.json#/definitions/supportsMetadataExtraction*.