grate icon indicating copy to clipboard operation
grate copied to clipboard

Published 20 hours ago verified publisher icon erikbra

Make sure we support Azure SQL databases with all kinds of strange authentication types

Open erikbra opened this issue 3 years ago • 5 comments

Ref. https://github.com/chucknorris/roundhouse/issues/343

  • Username/password
  • AD username/password
  • AD username/password with MFA
  • Token
  • others?

erikbra avatar Oct 21 '21 21:10 erikbra

I tested that AD username/password with MFA works very well with grate already in Windows. Pass a correct connection string and it will open a web browser where you can login with MFA: --connectionstring="Server=tcp:<somedatabase>.database.windows.net,1433;Initial Catalog=<somedb>;Authentication=Active Directory Interactive"

Using access token requires code changes. Currently --accesstoken is marked as obsolete. Access token login is handy for CI/CD pipelines where a service principal is used and you can just ask for a token and then pass it to grate.

kimjamia avatar Apr 11 '22 19:04 kimjamia

I haven't looked in a while, but I thought you could pass tokens on the conn string?

Eg see https://www.connectionstrings.com/ole-db-driver-for-sql-server/azure-active-directory-authentication-with-access-token/

Does the SqlClient parse this differently to OleDB?

wokket avatar Apr 12 '22 00:04 wokket

I tried passing that connection string to both System.Data.SqlClient.SqlConnection and Microsoft.Data.SqlClientSqlConnection and both first complain:

Keyword not supported: 'provider'

After I remove the "Provider=" part, they both complain:

Keyword not supported: 'access token'.

Neither list Access Token or anything token-related as supported keywords in the documentation.

In both docs, the first sentence is:

The ConnectionString is similar to an OLE DB connection string, but is not identical.

Also neither SqlConnectionStringBuilder have any token-related properties.

There was a similar discussion in RH as well: https://github.com/chucknorris/roundhouse/issues/344

kimjamia avatar Apr 28 '22 15:04 kimjamia

Just following up on this as I've run across it elsewhere: Modern versions of the SqlClient (as used in grate) have baked in support for acquiring and using tokens without requiring more than a connection string. See the MS docco for more info.

wokket avatar Jul 18 '22 22:07 wokket

Nice, thanks, @wokket ! I think this should solve the issue, do you agree, @kimjamia ?

erikbra avatar Jul 23 '22 12:07 erikbra

This should Just Work (TM) as of now, all auth methods should be able to specify in the connection string (see e.g. https://learn.microsoft.com/en-us/sql/connect/ado-net/sql/azure-active-directory-authentication?view=sql-server-ver16)

erikbra avatar Jan 03 '23 23:01 erikbra