Disable or Enable User Credentials Storage

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Customer Managed Applies to customer-managed instances of Alation

Applies from release 2020.4

By default, user credentials for data source authentication are persistently stored on the Alation server. Users are required to authenticate when they run queries in Compose and perform other Catalog operations that require a database connection.

Note

User credentials are only stored for data sources for which OAuth is not enabled.

User credentials storage can be disabled to activate the Transient User Credentials mode for authentication. In the Transient mode, database credentials that users enter in Compose and the Catalog are not stored on the Alation server. Credentials have to be entered every time a connection to a database is established for:

  • Running queries in Compose

  • Running query forms in the Catalog

  • Running Dynamic Profiles in the Catalog

  • Data upload in the Catalog

To disable storage of user credentials, use the alation_conf command to set the parameter alation.datasource_auth.credentials.storage_mode to 1. This requires the role of a Server Admin and SSH access to the Alation server.

Note

Alation Cloud Service customers can request server configuration changes through Alation Support.

The Transient mode can be enabled for user credentials only. It does not apply to the service account credentials that are used to connect to the data source from the Catalog and to extract metadata. When enabled, the Transient mode affects all data sources at once. It cannot be enabled or disabled for individual data sources.

To disable storage of database user credentials and enable the Transient Credentials mode:

  1. SSH to the Alation server.

  2. Enter the Alation shell:

    sudo /etc/init.d/alation shell
    
  3. Using the alation_conf utility, set the value of the parameter alation.datasource_auth.credentials.storage_mode to 1:

    alation_conf alation.datasource_auth.credentials.storage_mode -s 1
    
  4. Restart the UWSGI and Celery components:

    alation_supervisor restart web:uwsgi celery:*
    
  5. Exit the shell: exit

Note

Switching to the Transient Credentials mode on an instance does not automatically remove user credentials that are already stored under User Profile > DB Connections.

The alation.datasource_auth.credentials.storage_mode parameter accepts two values: 1 and 0:

  • 1: Transient mode (storage of credentials disabled)

  • 0: Persistent mode (storage of credentials enabled).

If you wish to return to the Persistent mode and store the credentials on the Alation server, set the value to 0.

In the Transient Credentials mode, the credentials that users enter for database authentication can be reused until a page refresh occurs. The expiration of database connections defaults to 1 hour and can be controlled with the alation_conf parameter alation.query_exec.keep_alive_timeout. The alation.query_exec.keep_alive_timeout is set in seconds, the default value being 3600.