azure-service-operator icon indicating copy to clipboard operation
azure-service-operator copied to clipboard

Published 20 hours ago verified publisher icon Azure

Feature: Support database users in ASOv2

Open matthchr opened this issue 3 years ago • 3 comments

We should support MySQL, PostgreSQL and AzureSQL users like we do in ASOv1.

This will require designing and implementing manual reconcilers for the first time in ASOv2, so we may need to do some design work there.

matthchr avatar Mar 01 '22 23:03 matthchr

Make sure if we are using ASOv1 users as a template to refer to MySQL and not Postgres/AzureSQL. MySQL has been updated in accordance to #1346 while the others have not.

matthchr avatar Mar 08 '22 00:03 matthchr

Also see #1353, which said this:

Describe the current behavior "Normal" SQL users (MySQLUser, AzureSQLUser) assume that there is a secret stored in a KeyVault which has the administrator account name and password for the database. This account is always used to manage database users. This presents problems when the server wasn't created by ASO because those secrets don't exist (since we didn't create them). Customers can in theory create the secrets for us, but their format and field names are not well documented.

Describe the improvement When ASO is deployed in Service Principal mode, there is no alternative to the above, so we likely need to live with that reality. In MSI mode though the MSI identity which ASO is running as can be added as the "AAD Administrator" of the database. The MSI can then be used to create both AAD and non-AAD users.

In MSI mode we should either:

Require that users make the ASO MSI identity the AAD administrator of the database for user creation to work (we already require this for creating AAD users but not for creating normal database users). Check if we're the AAD administrator and if we are, use that path rather than the KV secrets path. I'm currently inclined towards option 1.

matthchr avatar Mar 08 '22 00:03 matthchr

Also see #1147, which discusses some of the flaws and risks (possible SQL injection) to the way database users were implemented in ASOv1. We should strive to avoid that in ASOv2 when we port.

matthchr avatar Mar 08 '22 00:03 matthchr

Is there already a timeline for the support of PostgreSQL users? We are currently use the operator v1 with a pgsql single server and plan to migrate to v2 but pgsql flexible server.

johgoe avatar Apr 01 '23 17:04 johgoe

I started to try the implementation myself.

johgoe avatar Apr 02 '23 18:04 johgoe

Closing this as MySQL and PostgreSQL are now supported. AzureSQL is remaining and tracked by #3001.

matthchr avatar May 23 '23 02:05 matthchr