Authentication Service Add-on¶
Applies only to Alation Cloud Service on the cloud native architecture
The Authentication Service add-on for the Alation Agent is an optional feature that enables you to integrate the Alation Agent with AWS Secrets Manager for authenticating with your on-premises data sources. With this method, your data source credentials never have to leave your network. For more information on how this works and other options you have, see Integration with AWS Secrets Manager for Data Source Authentication Using OCF Connector.
To use this feature, you must meet the following requirements:
You must be an Alation Cloud Service customer on the cloud-native architecture.
You must be using Alation Agent version 1.7.2.4360 or later. For help installing the Alation Agent, see Install the Alation Agent.
To access AWS Secrets Manager using an IAM instance profile:
You must be on Alation Cloud Service version 2024.1.4 or later.
Your Alation Agent must be installed on an Amazon EC2 instance.
You must install Authentication Service Add-on version 5.14.0.1882 or later on the Alation Agent.
To access AWS Secrets Manager using an IAM user’s credentials:
You must be on Alation Cloud Service version 2024.1.5 or later.
You must install Authentication Service Add-on version 5.14.0.1968 or later on the Alation Agent.
You must have a supporting OCF connector installed on the Agent. To find out if a specific connector supports this feature, see the documentation for the specific connector in the Open Connector Framework (OCF) Overview section.
Note
You can use the Native Data Sources API to migrate a data source from an OCF connector that’s not on an Alation Agent to an OCF connector that is on an Alation Agent.
Authentication Service Add-on Release Notes¶
Release 5.14.0.2249¶
Released January 23, 2025
We fixed a bug that could cause metadata extraction (MDE) to fail for the AWS Glue OCF connector after the Alation instance is restarted. (AL-180578)
Release 5.14.0.2221¶
Released November 21, 2024
We have patched some dependencies to address security vulnerabilities. (AL-174562)
Release 5.14.0.2169¶
Released September 25, 2024
The Authentication Service add-on logs will now include:
The
tenantidof the Alation instance that the Alation Agent is connected to.The
agentidof the Alation Agent that is running the Authentication Service add-on.
(AL-169979)
Release 5.14.0.2058¶
Released August 28, 2024
We have updated the format of the Authentication Service add-on logs to make them easier to parse and more consistent with the format of other Alation logs.
The structure of the header section is always the same. The following fields are included in the header section for consistency with other Alation components but are not used by the Authentication Service add-on:
The
instanceurlfield is not used and is always empty.The
tenantidfield is not used and is always set toFAKE_TENANT_ID.
The structure of the data section depends on the message.
Example log message:
{
"header": {
"appname": "authservice",
"instanceurl": "",
"loglevel": "INFO",
"tenantid": "FAKE_TENANT_ID",
"timestamp": "2024-08-12T16:51:15.987Z"
},
"data": {
"msg": "Reading all the configurations for a plugin: aws_scm",
"logger": {
"name": "alation.authserver.configuration.ConfigManager",
"fqcn": "org.apache.log4j.Category"
},
"thread": {
"name": "grpc-default-executor-0",
"id": 16,
"priority": 5
},
"source": {
"className": "alation.authserver.configuration.ConfigManager",
"fileName": "ConfigManager.java",
"methodName": "readAll",
"lineNumber": 233
}
}
}
(AL-120676)
Release 5.14.0.1968¶
Released July 25, 2024
The Authentication Service add-on now offers the ability to connect to AWS Secrets Manager using IAM user credentials. This allows you to use the Authentication Service add-on in non-AWS environments. To use this feature, you must be an Alation Cloud Service customer on the cloud-native architecture who has upgraded to Alation 2024.1.5. See Access Secrets Manager from Alation Agent Using an IAM User’s Credentials for more information.
Release 5.14.0.1882¶
Released July 16, 2024
This is the initial release of the Authentication Service add-on for the Alation Agent. In the initial release, integrating with AWS Secrets Manager using an IAM instance profile is supported. To use this feature, you must be an Alation Cloud Service customer on the cloud-native architecture who has upgraded to Alation 2024.1.4. See Access Secrets Manager from Alation Agent Using an IAM Instance Profile for more information.
Note
The Authentication Service add-on has been used internally in Alation Cloud Service itself for some time now. That’s why the version number for the initial external release is already so high.
Install or Update the Authentication Service Add-on on an Alation Agent¶
To install or update the Authentication Service add-on on an Alation Agent:
If you don’t have the latest plugin yet, contact Alation Support to request it. The plugin is a Docker image named auth-service-docker-image-<plugin-version>tar.gz.
If needed, transfer the downloaded file to the Agent’s host machine. For example, if you downloaded the plugin file to a Unix-based machine, you could transfer the file using the
scpcommand in Terminal:scp /local/path/to/auth-service-docker-image-<plugin-version>.tar.gz <ssh-user>@<server-address>:/remote/path/to/agent
On the Agent’s host machine, unzip the .tar.gz file. Example:
gzip -d auth-service-docker-image-<plugin-version>.tar.gz
Install or update the plugin. To install the plugin from scratch, use this command:
sudo kratos addons install auth ./auth-service-docker-image-<plugin-version>.tar
To update the plugin, use this command:
sudo kratos addons update auth ./auth-service-docker-image-<plugin-version>.tar
Restart the Agent:
sudo systemctl restart hydra
Check that the plugin is running. It may take about two minutes for the plugin to start up.
sudo docker ps
In the output of this command, you should see
authlisted underIMAGE, and underSTATUSit should indicate that the plugin isUp. For example:CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 00d929b2582b auth "java -Dlog4j.config…" 11 seconds ago Up 10 seconds 0.0.0.0:11001->11001/tcp, :::11001->11001/tcp auth f80e23b27e2a application_gateway "/opt/cag" 11 seconds ago Up 10 seconds (health: starting) cag c8c16128644e proxy "/opt/reverseProxy" 12 seconds ago Up 11 seconds (health: starting) proxy 8c3d5cfeb3fd connector_21 "/opt/entrypoint.sh …" 12 seconds ago Up 12 seconds (health: starting) 127.0.0.1:10021->10021/tcp connector21 c8814bcadc3c agent "/opt/agent" 13 seconds ago Up 12 seconds (health: starting) 127.0.0.1:8080->8080/tcp agent
The Authentication Service add-on has now been installed. To troubleshoot the Agent or Authentication Service add-on, see Troubleshoot the Agent.
Check the Authentication Service Add-on’s Status¶
First log into the machine where the Alation Agent is running, then run the following command:
sudo docker ps
Stop the Authentication Service Add-on¶
To stop the Authentication Service add-on, you must stop the entire Agent. First log into the machine where the Alation Agent is running, then run the following command:
sudo systemctl stop hydra