Merge branch 'main' into feat/issue-12787-hive-metastore-mssql-oracle

Author: SaaiAravindhRaja

.github/workflows/playwright-sso-login-nightly.yml

@@ -0,0 +1,145 @@
+#  Copyright 2025 Collate
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#  http://www.apache.org/licenses/LICENSE-2.0
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+name: SSO Login Nightly
+
+on:
+  schedule:
+    - cron: '0 3 * * *'
+  workflow_dispatch:
+    inputs:
+      sso_provider:
+        description: 'SSO provider (or "all")'
+        required: true
+        default: okta
+        type: choice
+        options:
+          - okta
+          - keycloak-azure-saml
+          - all
+
+permissions:
+  contents: read
+
+concurrency:
+  group: sso-login-nightly-${{ github.event.inputs.sso_provider || 'scheduled' }}
+  cancel-in-progress: true
+
+jobs:
+  # To onboard a new provider:
+  #   1. Add a matrix entry below (`name` is the lowercase provider id used by
+  #      the Playwright helper; `env_prefix` is the uppercase/underscore form
+  #      used to look up credentials). Also add `name` to the dispatch
+  #      `options:` list above.
+  #   2. Add <ENV_PREFIX>_SSO_USERNAME (variable) and <ENV_PREFIX>_SSO_PASSWORD
+  #      (variable) to the `test` environment. Use a secret instead of a
+  #      variable for the password if the provider uses a real (non-fixture)
+  #      credential.
+  #   3. Register the helper in playwright/utils/sso-providers/index.ts.
+  sso-login:
+    runs-on: ubuntu-latest
+    environment: test
+    timeout-minutes: 45
+    strategy:
+      fail-fast: false
+      matrix:
+        provider:
+          ${{ (github.event_name == 'schedule' || github.event.inputs.sso_provider == 'all')
+          && fromJSON('[{"name":"okta","env_prefix":"OKTA"},{"name":"keycloak-azure-saml","env_prefix":"KEYCLOAK_AZURE_SAML"}]')
+          || (github.event.inputs.sso_provider == 'keycloak-azure-saml'
+              && fromJSON('[{"name":"keycloak-azure-saml","env_prefix":"KEYCLOAK_AZURE_SAML"}]')
+              || fromJSON('[{"name":"okta","env_prefix":"OKTA"}]')) }}
+    steps:
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: false
+          swap-storage: true
+          docker-images: false
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Cache Maven Dependencies
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+
+      - name: Setup OpenMetadata Test Environment
+        uses: ./.github/actions/setup-openmetadata-test-environment
+        with:
+          python-version: '3.10'
+          args: '-d postgresql -i false'
+          ingestion_dependency: 'all'
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: 'openmetadata-ui/src/main/resources/ui/.nvmrc'
+
+      - name: Install dependencies
+        working-directory: openmetadata-ui/src/main/resources/ui/
+        run: yarn --ignore-scripts --frozen-lockfile
+
+      - name: Install Playwright Browsers
+        run: npx playwright@1.57.0 install chromium --with-deps
+
+      - name: Start Keycloak SAML IdP
+        if: startsWith(matrix.provider.name, 'keycloak-')
+        run: |
+          docker compose -f docker/local-sso/keycloak-saml/docker-compose.yml up -d
+          timeout 180 bash -c 'until curl -fsS http://localhost:8080/realms/om-azure-saml >/dev/null; do sleep 2; done'
+
+      - name: Run SSO Login Spec
+        working-directory: openmetadata-ui/src/main/resources/ui
+        env:
+          SSO_PROVIDER_TYPE: ${{ matrix.provider.name }}
+          SSO_USERNAME: ${{ vars[format('{0}_SSO_USERNAME', matrix.provider.env_prefix)] }}
+          SSO_PASSWORD: ${{ vars[format('{0}_SSO_PASSWORD', matrix.provider.env_prefix)] || secrets[format('{0}_SSO_PASSWORD', matrix.provider.env_prefix)] }}
+          KEYCLOAK_SAML_BASE_URL: http://localhost:8080
+          PLAYWRIGHT_IS_OSS: true
+        run: |
+          npx playwright test playwright/e2e/Auth/SSOLogin.spec.ts \
+            --project=sso-auth \
+            --workers=1
+
+      - name: Upload HTML report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: sso-login-html-report-${{ matrix.provider.name }}
+          path: openmetadata-ui/src/main/resources/ui/playwright/output/playwright-report
+          retention-days: 5
+
+      - name: Send Slack Notification
+        if: always()
+        working-directory: openmetadata-ui/src/main/resources/ui
+        env:
+          RUN_TITLE: "SSO Login Nightly: ${{ matrix.provider.name }} (${{ github.ref_name }})"
+          RUN_URL: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          SLACK_BOT_USER_OAUTH_TOKEN: ${{ secrets.E2E_SLACK_BOT_OAUTH_TOKEN }}
+        run: |
+          npx playwright-slack-report -c playwright/slack-cli.config.json -j playwright/output/results.json > slack_report.json
+
+      - name: Clean Up
+        if: always()
+        run: |
+          docker compose -f docker/local-sso/keycloak-saml/docker-compose.yml down --remove-orphans || true
+          cd ./docker/development
+          docker compose down --remove-orphans
+          sudo rm -rf ${PWD}/docker-volume

bootstrap/sql/migrations/native/1.12.0/mysql/postDataMigrationSQLScript.sql

@@ -76,4 +76,3 @@ SET json = JSON_REMOVE(JSON_REMOVE(json, '$.inputPorts'), '$.outputPorts')
 WHERE jsonSchema = 'dataProduct'
   AND (JSON_CONTAINS_PATH(json, 'one', '$.inputPorts')
        OR JSON_CONTAINS_PATH(json, 'one', '$.outputPorts'));
-

bootstrap/sql/migrations/native/1.12.0/postgres/postDataMigrationSQLScript.sql

@@ -110,3 +110,4 @@ SET json = json::jsonb - 'inputPorts' - 'outputPorts'
 WHERE jsonSchema = 'dataProduct'
   AND (json::jsonb ?? 'inputPorts' OR json::jsonb ?? 'outputPorts');
 
+

bootstrap/sql/migrations/native/1.12.6/mysql/postDataMigrationSQLScript.sql

@@ -1 +1,27 @@
--- Placeholder for 1.12.6 MySQL post data migration SQL script
+-- Remove pipeline annotation from service-level, domain-level, and dataProduct-level lineage edges.
+-- These edges incorrectly inherited the pipeline annotation from entity-level lineage, causing service
+-- nodes to appear in entity-level lineage views and the "By Service" view to be empty for pipeline
+-- entities. After this migration, run an Elasticsearch/OpenSearch reindex to update search documents.
+UPDATE entity_relationship
+SET json = JSON_REMOVE(json, '$.pipeline')
+WHERE fromEntity IN ('databaseService', 'messagingService', 'pipelineService', 'dashboardService',
+                     'mlmodelService', 'metadataService', 'storageService', 'searchService', 'apiService',
+                     'driveService')
+  AND toEntity IN ('databaseService', 'messagingService', 'pipelineService', 'dashboardService',
+                   'mlmodelService', 'metadataService', 'storageService', 'searchService', 'apiService',
+                   'driveService')
+  AND relation = 13
+  AND JSON_CONTAINS_PATH(json, 'one', '$.pipeline');
+
+UPDATE entity_relationship
+SET json = JSON_REMOVE(json, '$.pipeline')
+WHERE fromEntity = 'domain' AND toEntity = 'domain'
+  AND relation = 13
+  AND JSON_EXTRACT(json, '$.pipeline') IS NOT NULL;
+
+UPDATE entity_relationship
+SET json = JSON_REMOVE(json, '$.pipeline')
+WHERE fromEntity = 'dataProduct' AND toEntity = 'dataProduct'
+  AND relation = 13
+  AND JSON_EXTRACT(json, '$.pipeline') IS NOT NULL;
+  

bootstrap/sql/migrations/native/1.12.6/postgres/postDataMigrationSQLScript.sql

@@ -1 +1,27 @@
--- Placeholder for 1.12.6 Postgres post data migration SQL script
+-- Remove pipeline annotation from service-level, domain-level, and dataProduct-level lineage edges.
+-- These edges incorrectly inherited the pipeline annotation from entity-level lineage, causing service
+-- nodes to appear in entity-level lineage views and the "By Service" view to be empty for pipeline
+-- entities. After this migration, run an Elasticsearch/OpenSearch reindex to update search documents.
+UPDATE entity_relationship
+SET json = json - 'pipeline'
+WHERE fromentity IN ('databaseService', 'messagingService', 'pipelineService', 'dashboardService',
+                     'mlmodelService', 'metadataService', 'storageService', 'searchService', 'apiService',
+                     'driveService')
+  AND toentity IN ('databaseService', 'messagingService', 'pipelineService', 'dashboardService',
+                   'mlmodelService', 'metadataService', 'storageService', 'searchService', 'apiService',
+                   'driveService')
+  AND relation = 13
+  AND json ?? 'pipeline';
+
+UPDATE entity_relationship
+SET json = json - 'pipeline'
+WHERE fromentity = 'domain' AND toentity = 'domain'
+  AND relation = 13
+  AND json ?? 'pipeline';
+
+UPDATE entity_relationship
+SET json = json - 'pipeline'
+WHERE fromentity = 'dataProduct' AND toentity = 'dataProduct'
+  AND relation = 13
+  AND json ?? 'pipeline';
+

bootstrap/sql/migrations/native/1.12.6/postgres/schemaChanges.sql

@@ -1 +1 @@
--- Placeholder for 1.12.6 Postgres schema changes
+-- Placeholder for 1.12.6 PostgreSQL schema changes

conf/openmetadata.yaml

@@ -162,6 +162,16 @@ qos:
   maxSuspendedRequestCount: ${QOS_MAX_SUSPENDED_REQUEST_COUNT:-1000}
   maxSuspendSeconds: ${QOS_MAX_SUSPEND_SECONDS:-30}
 
+cacheMemory:
+  # Entity JSON caches (CACHE_WITH_ID, CACHE_WITH_NAME) — weight-based eviction.
+  # Entity JSON can range from 1KB to 2MB+. Increase on high-memory deployments for better hit rates.
+  entityCacheMaxSizeBytes: ${ENTITY_CACHE_MAX_SIZE_BYTES:-104857600}  # 100 MB
+  entityCacheTTLSeconds: ${ENTITY_CACHE_TTL_SECONDS:-30}
+  # Auth caches (user context + policies) — TTLs hardcoded (2min policies, 15min user context)
+  authCacheMaxEntries: ${AUTH_CACHE_MAX_ENTRIES:-5000}
+  # RBAC query cache (OpenSearch role-based access control query DSL)
+  rbacCacheMaxEntries: ${RBAC_CACHE_MAX_ENTRIES:-5000}
+
 # Logging settings.
 # https://logback.qos.ch/manual/layouts.html#conversionWord
 # Set LOG_FORMAT=json for structured logs. The default text format preserves legacy output.

docker/docker-compose-openmetadata/env-mysql

@@ -143,7 +143,7 @@ SMTP_SERVER_STRATEGY="SMTP_TLS"
 OM_RESOURCE_PACKAGES="[]"
 OM_EXTENSIONS="[]"
 # Heap OPTS Configurations
-OPENMETADATA_HEAP_OPTS="-Xmx1G -Xms1G"
+OPENMETADATA_HEAP_OPTS="-Xmx2G -Xms256M -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:+HeapDumpOnOutOfMemoryError"
 # Application Config
 CUSTOM_LOGO_URL_PATH=""
 CUSTOM_MONOGRAM_URL_PATH=""

docker/docker-compose-openmetadata/env-postgres

@@ -143,7 +143,7 @@ SMTP_SERVER_STRATEGY="SMTP_TLS"
 OM_RESOURCE_PACKAGES="[]"
 OM_EXTENSIONS="[]"
 # Heap OPTS Configurations
-OPENMETADATA_HEAP_OPTS="-Xmx1G -Xms1G"
+OPENMETADATA_HEAP_OPTS="-Xmx2G -Xms512M -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:+HeapDumpOnOutOfMemoryError"
 # Application Config
 CUSTOM_LOGO_URL_PATH=""
 CUSTOM_MONOGRAM_URL_PATH=""

docker/local-sso/keycloak-saml/README.md

@@ -0,0 +1,22 @@
+# Keycloak SAML Fixture
+
+Local SAML IdP fixture for the Playwright SSO login spec.
+
+```bash
+docker compose -f docker/local-sso/keycloak-saml/docker-compose.yml up -d
+```
+
+It imports one realm for an OpenMetadata server running at `http://localhost:8585`:
+
+- `om-azure-saml`
+  - User: `azure.saml@openmetadata.local`
+  - Password: `OpenMetadata@123`
+
+Use the matching Playwright provider type:
+
+```bash
+SSO_PROVIDER_TYPE=keycloak-azure-saml \
+SSO_USERNAME=azure.saml@openmetadata.local \
+SSO_PASSWORD=OpenMetadata@123 \
+npx playwright test playwright/e2e/Auth/SSOLogin.spec.ts --project=sso-auth --workers=1
+```