Authentication Service Add-on¶
The Authentication Service add-on for the Alation Agent is an optional feature that enables you to integrate the Alation Agent with AWS Secrets Manager for authenticating with your on-premises data sources. With this method, your data source credentials never have to leave your network. For more information on how this works and other options you have, see Integration with AWS Secrets Manager for Data Source Authentication Using OCF Connector.
To use this feature, you must meet the following requirements:
You must be an Alation Cloud Service customer on the cloud-native architecture.
You must be using Alation Agent version 1.7.2.4360 or later. For help installing the Alation Agent, see Install the Alation Agent.
To access AWS Secrets Manager using an IAM instance profile:
You must be on Alation Cloud Service version 2024.1.4 or later.
Your Alation Agent must be installed on an Amazon EC2 instance.
You must install Authentication Service Add-on version 5.14.0.1882 or later on the Alation Agent.
To access AWS Secrets Manager using an IAM user’s credentials:
You must be on Alation Cloud Service version 2024.1.5 or later.
You must install Authentication Service Add-on version 5.14.0.1968 or later on the Alation Agent.
You must have a supporting OCF connector installed on the Agent. To find out if a specific connector supports this feature, see the documentation for the specific connector in the Open Connector Framework section.
Note
You can use the Native Data Sources API to migrate a data source from an OCF connector that’s not on an Alation Agent to an OCF connector that is on an Alation Agent.
Authentication Service Add-on Release Notes¶
Release 5.14.0.1968¶
Released August 1, 2024
Alation Cloud Service customer on the cloud-native architecture only
The Authentication Service add-on now offers the ability to connect to AWS Secrets Manager using IAM user credentials. This allows you to use the Authentication Service add-on in non-AWS environments. To use this feature, you must be an Alation Cloud Service customer on the cloud-native architecture who has upgraded to Alation 2024.1.5. See Access Secrets Manager from Alation Agent Using an IAM User’s Credentials for more information.
Release 5.14.0.1882¶
Released July 4, 2024
Alation Cloud Service customer on the cloud-native architecture only
This is the initial release of the Authentication Service add-on for the Alation Agent. In the initial release, integrating with AWS Secrets Manager using an IAM instance profile is supported. To use this feature, you must be an Alation Cloud Service customer on the cloud-native architecture who has upgraded to Alation 2024.1.4. See Access Secrets Manager from Alation Agent Using an IAM Instance Profile for more information.
Note
The Authentication Service add-on has been used internally in Alation Cloud Service itself for some time now. That’s why the version number for the initial external release is already so high.
Install or Update the Authentication Service Add-on on an Alation Agent¶
To install or update the Authentication Service add-on on an Alation Agent:
If you don’t have the latest plugin yet, contact Alation Support to request it. The plugin is a Docker image named auth-service-docker-image-<plugin-version>tar.gz.
If needed, transfer the downloaded file to the Agent’s host machine. For example, if you downloaded the plugin file to a Unix-based machine, you could transfer the file using the
scpcommand in Terminal:scp /local/path/to/auth-service-docker-image-<plugin-version>.tar.gz <ssh-user>@<server-address>:/remote/path/to/agent
On the Agent’s host machine, unzip the .tar.gz file. Example:
gzip -d auth-service-docker-image-<plugin-version>.tar.gz
Install or update the plugin. To install the plugin from scratch, use this command:
sudo kratos addons install auth ./auth-service-docker-image-<plugin-version>.tar
To update the plugin, use this command:
sudo kratos addons update auth ./auth-service-docker-image-<plugin-version>.tar
Restart the Agent:
sudo systemctl restart hydra
Check that the plugin is running. It may take about two minutes for the plugin to start up.
sudo docker ps
In the output of this command, you should see
authlisted underIMAGE, and underSTATUSit should indicate that the plugin isUp. For example:CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 00d929b2582b auth "java -Dlog4j.config…" 11 seconds ago Up 10 seconds 0.0.0.0:11001->11001/tcp, :::11001->11001/tcp auth f80e23b27e2a application_gateway "/opt/cag" 11 seconds ago Up 10 seconds (health: starting) cag c8c16128644e proxy "/opt/reverseProxy" 12 seconds ago Up 11 seconds (health: starting) proxy 8c3d5cfeb3fd connector_21 "/opt/entrypoint.sh …" 12 seconds ago Up 12 seconds (health: starting) 127.0.0.1:10021->10021/tcp connector21 c8814bcadc3c agent "/opt/agent" 13 seconds ago Up 12 seconds (health: starting) 127.0.0.1:8080->8080/tcp agent
The Authentication Service add-on has now been installed. To troubleshoot the Agent or Authentication Service add-on, see Troubleshoot the Agent.
Check the Authentication Service Add-on’s Status¶
First log into the machine where the Alation Agent is running, then run the following command:
sudo docker ps
Stop the Authentication Service Add-on¶
To stop the Authentication Service add-on, you must stop the entire Agent. First log into the machine where the Alation Agent is running, then run the following command:
sudo systemctl stop hydra