Disable or Enable User Credentials Storage¶
Applies from release 2020.4
By default, user credentials for data source authentication are persistently stored on the Alation server. Users are required to authenticate when they run queries in Compose and perform other Catalog operations that require a database connection.
User credentials are only stored for data sources for which OAuth is not enabled.
User credentials storage can be disabled to activate the Transient User Credentials mode for authentication. In the Transient mode, database credentials that users enter in Compose and the Catalog are not stored on the Alation server. Credentials have to be entered every time a connection to a database is established for:
Running queries in Compose
Running query forms in the Catalog
Running Dynamic Profiles in the Catalog
Data upload in the Catalog
To disable storage of user credentials, use the alation_conf command to set the parameter
alation.datasource_auth.credentials.storage_mode to 1. This requires the role of a Server Admin and SSH access to the Alation server.
The Transient mode can be enabled for user credentials only. It does not apply to the service account credentials that are used to connect to the data source from the Catalog and to extract metadata. When enabled, the Transient mode affects all data sources at once. It cannot be enabled or disabled for individual data sources.
To disable storage of database user credentials and enable the Transient Credentials mode:
SSH to the Alation server.
Enter the Alation shell:
sudo /etc/init.d/alation shell
Using the alation_conf utility, set the value of the parameter
alation_conf alation.datasource_auth.credentials.storage_mode -s 1
Restart the UWSGI and Celery components:
alation_supervisor restart web:uwsgi celery:*
Exit the shell:
Switching to the Transient Credentials mode on an instance does not automatically remove user credentials that are already stored under User Profile > DB Connections.
alation.datasource_auth.credentials.storage_mode parameter accepts two values: 1 and 0:
1: Transient mode (storage of credentials disabled)
0: Persistent mode (storage of credentials enabled).
If you wish to return to the Persistent mode and store the credentials on the Alation server, set the value to 0.
In the Transient Credentials mode, the credentials that users enter for database authentication can be reused until a page refresh occurs. The expiration of database connections defaults to 1 hour and can be controlled with the alation_conf parameter
alation.query_exec.keep_alive_timeout is set in seconds, the default value being 3600.