Although aad_auth is MySQL plugin and there is theoretical possibility to use CREATE USER ... IDENTIFIED WITH 'aad_auth' AS 'AADUser:objectid:upn:objectname', this is currently not documented solution. As aad_auth is in public preview only, there is no guarantee this command would work.
Therefore I tried to follow documentation and implement Microsoft specific CREATE AADUSER command as much as possible complying with documentation.
What this PR can do:
resource mysql_user {
user = "someuser" # name used to login to MySQL - in Microsoft's documentation it's alias (CREATE AADUSER x AS alias)
auth_plugin = "aad_auth"
aad_identity = "some.user@exampe.onmicrosoft.com"
}
Leads to CREATE AADUSER 'some.user@exampe.onmicrosoft.com'@'localhost' AS 'someuser'
Using @hostname in this statement is undocumented by Microsoft, but works. Microsoft defualts it to % when ommited and it's up to everyone if he will try to use it another way
If someone needs to use user without alias, he has to set user to equal aad_identity what is Microsoft's defaults
Instead of user principal name in aad_identity, there is allowed group name, which then works same as for user principals.
To work for Service principal, there has to be it's Client ID in aad_identity which then leads to query CREATE AADUSER alias@hostname IDENTIFIED BY clientid which is stupid, but it's according to something i found on Microsoft's support.
Nothing stops user to use object id instead of upn's or group names, but this would break import/refresh of this users as using object id for theese identity types are not suported by Microsoft's documentation
Only thing, where I depend on authentication data is in import, where I parse it back to aad_identity
I did not wrote any tests of auth_plugin = aad_auth since I don't know if there is any possibility to run them in pipeline then as CREATE AADUSER is supported only in Azure managed servers.
I'm aware, that code is not nice, I tried above explain why. If you think, it can be improoved, please show me direction and I will try to do my best.
petoju
commented
1 year ago
Supports creating users authorized by AzureAD tokens instead of passwords https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-azure-ad-authentication
Although aad_auth is MySQL plugin and there is theoretical possibility to use
CREATE USER ... IDENTIFIED WITH 'aad_auth' AS 'AADUser:objectid:upn:objectname', this is currently not documented solution. As aad_auth is in public preview only, there is no guarantee this command would work.Therefore I tried to follow documentation and implement Microsoft specific
CREATE AADUSERcommand as much as possible complying with documentation.What this PR can do:
Leads to
CREATE AADUSER 'some.user@exampe.onmicrosoft.com'@'localhost' AS 'someuser'@hostnamein this statement is undocumented by Microsoft, but works. Microsoft defualts it to%when ommited and it's up to everyone if he will try to use it another wayuserto equalaad_identitywhat is Microsoft's defaultsaad_identity, there is allowed group name, which then works same as for user principals.aad_identitywhich then leads to queryCREATE AADUSER alias@hostname IDENTIFIED BY clientidwhich is stupid, but it's according to something i found on Microsoft's support.Only thing, where I depend on authentication data is in import, where I parse it back to
aad_identityI did not wrote any tests of
auth_plugin = aad_authsince I don't know if there is any possibility to run them in pipeline then asCREATE AADUSERis supported only in Azure managed servers.I'm aware, that code is not nice, I tried above explain why. If you think, it can be improoved, please show me direction and I will try to do my best.