Disable Role Selection for SSO-Enabled Data Sources¶
Customer Managed Applies to customer-managed instances of Alation
Available from release 2021.2
By default, users connecting to SSO-enabled data sources will need to select a role if the SAML assertion response returns multiple roles. Role selection can be disabled on the level of the AuthService configuration object. This means that it will be disabled for all data sources configured to use this AuthService configuration.
When role selection is disabled, the data source driver assumes the first role from the list of roles returned in the SAML response from the IdP unless a specific role is included into the Compose connection URI. For example, for Amazon Athena data sources, the user who creates the connection can include the preferred_role parameter in the URI to specify which role to assume when connected.
Disable Role Selection¶
SSH to the Alation host.
Enter the Alation shell and then enter the Django shell:
sudo /etc/init.d/alation shell alation_django_shell
To disable the role selection, run the code given below substituting the placeholder values with real values:
<method> - authentication method used to create the config object, for example
aws_iamfor AWS data sources<name> - name of the AuthService configuration object for which you are disabling the role selection
from auth_client.auth import Client as AuthClient AuthClient(<method>).configure(operation='update', config={'config_name':<name>, 'multirole': 'false'})
Example
from auth_client.auth import Client as AuthClient AuthClient('aws_iam').configure(operation='update', config={'config_name':'my_aws_connection', 'multirole': 'false'})
Exit from the Django shell:
exit.Exit from the Alation shell:
exit.
Enable Role Selection¶
from auth_client.auth import Client as AuthClient AuthClient(<method>).configure(operation='update', config={'config_name':<name>, 'multirole': 'true'})
Example
from auth_client.auth import Client as AuthClient AuthClient('aws_iam').configure(operation='update', config={'config_name':'my_aws_connection', 'multirole': 'true'})