SSO Authentication for Amazon DynamoDB Data Source¶
Applies from release 2021.1
Perform this configuration for the Amazon DynamoDB Data Source after completing the configuration of the IdP and the AuthService:
Important
SSO authentication should be configured for each specific data source. Multiple data sources can use one and the same AuthService configuration object if authentication goes through the same authentication application in the same IdP.
STEP 1: Configure Compose to Use AuthService IAM Plug-in for Amazon DynamoDB¶
Alation recommends using a JDBC driver for Amazon DynamoDB developed by CData: Amazon DynamoDB. The steps below apply if you are using the driver recommended by Alation.
You need to know the ID of your Amazon DynamoDB data source. It can be obtained from the URL of the Data Source Catalog page: How to Find Data Source ID.
To perform the configuration:
Use SSH to connect to the Alation host.
Enter the Alation shell:
sudo /etc/init.d/alation shell alation_django_shell
Enter the Django shell:
alation_django_shell
From the Django shell, run the code given below, substituting the placeholder values
<ds_id>
and<config_name>
with the real values. This will create a Compose configuration object for the data source with the given ID.<ds_id>
- Data source ID<config_name>
- Theconfig_name
value of the configuration object in the AWS IAM plug-in of AuthService that has been created for your IdP.
AuthServiceConfiguration.objects.create(ds=DataSource.objects.get(id=<ds_id>),method_name='aws_iam',config_name='<config_name>')
Still in the Django shell, run the following code, substituting the placeholder value
<ds_id>
with your data source ID value. Note that this configuration is for the CData JDBC driver for DynamoDB recommended by Alation:confs = AuthServiceConfiguration.objects.filter(ds_id=<ds_id>).all() c = confs[0] ## Now change the above default jdbc_config to the following: c.jdbc_config['auth_obj_to_jdbc_param_map'] = {'AWSAccessKey':'{AWSAccessKey}','AWSSecretKey':'{AWSSecretKey}','AWSSessionToken':'{AWSSessionToken}'} c.jdbc_config['jdbc_uri_enabler_patterns']=['AuthScheme\\=TemporaryCredentials'] c.save()
Exit the Django shell:
exit
.Exit the Alation shell:
exit
.
Step 2: Configure Amazon DynamoDB Data Source Settings in Alation¶
Next, configure the SSO login to Amazon DynamoDB from the catalog and Compose:
Log in to the Alation user interface as a Server Admin or a Data Source Admin for your DynamoDB data source.
Open the Settings > General Settings page of your DynamoDB data source.
Scroll down to the Compose Connections section.
Click +Add on the right and add a new Compose connection:
Give the Connection a meaningful name so that it is recognizable in Compose
Add a new Compose connection URI with the following parameters required to enable redirection flow within Compose:
AuthScheme=TemporaryCredentials
Format:
amazondynamodb:URL=<your_AWS_URL>;SupportsCatalogsInTableDefinitions=True;SupportsSchemasInTableDefinitions=True;AuthScheme=TemporaryCredentials
Example:
amazondynamodb:URL=https://dynamodb.us-east-1.amazonaws.com;SupportsCatalogsInTableDefinitions=True;SupportsSchemasInTableDefinitions=True;AuthScheme=TemporaryCredentials
Note
Specifying a role in the connection URI is not supported. Users will be connected with the first role returned in the assertion response from the IdP.
Test the configuration.
Step 3: Test Configuration¶
You can test with a user account that exists in IdP and has access to the Amazon DynamoDB data source.
Test Connection in Compose¶
Log in to Alation as a user who should be able to access Amazon DynamoDB.
Go to Compose.
Select the SSO-enabled connection URI that was configured in data source Settings > General Settings > Compose Connections.
Click the Reconnect button. The Data Source Authorization dialog should pop up.
Click the link Click here to authorize access before connecting…. A new browser tab should open where you should be redirected to the IdP login page.
Enter the IdP credentials to authenticate.
Upon confirmation, the tab will close and the user will be authenticated in Compose.
If authenticated successfully, run a query against the data source. Subsequent queries in this session should not require any authentication activity until the STS token expires.
If the token request fails, the UI will display an error and connection will not be established. See Troubleshoot SSO Authentication with Amazon Data Sources.
Test Profiling¶
If Dynamic Profiling is enabled for the Amazon DynamoDB data source, you can test it in the following way:
Go to the Alation Catalog and open the Catalog page of a column.
Click Run Profile. The Connect dialog should pop up.
Select the SSO-enabled connection from the list of saved connections.
Click Test Authorization.
A new browser tab should open where you will be redirected to the IdP login page.
Enter your IdP credentials to authenticate.
Upon authentication, the tab will close and the user will be able to profile the column.
Test Data Upload¶
Similarly, you can test the Data Upload to your Amazon DynamoDB data source.
Go the the DynamoDB data source page in the catalog.
On the upper right, click More, and then click Upload Data.
Try to test-upload a table: the authentication flow should be the same as described above in Test Profiling.