Postgres with Azure Active Directory Authentication - postgresql

In our organization, we are having common credentials to access the postgres databases, which every developers know, as it is hardcoded in application's connection string. Due to which, whenever a DML/DDL changes happens on databases, it is hard for us trace, as the developers use to make changes on their own. We can't have individual logins for each developers which is tedious to manage.
Note: Also, we can't ensure that the credentials won't be shared with the peer developers.
To get rid of this, we thought of integrating Postgres with Azure Active Directory, for Authentication.
If we can map Azure AD group/users to Postgres, security will be tightened as well as maintenance overhead will also reduce.
But, I couldn't find a article to implement this, since most of the articles says the integration for Azure managed postgresql with Azure AD, and not for the postgres running on VMs.
Can anyone guide me or share a detailed article to implement the Azure AD integration for Postgres running on a VM(IaaS)

In Azure portal go to the postgresql database select Authentication and set active directory admin.
You can specify an Azure AD group instead of an individual user to have multiple administrators.
Connecting to postgresql :
1.Login to Azure subscription.
2.Get the access token of the postgresql serverusing below command:
az account get-access-token --resource https://ossrdbms-aad.database.windows.net
3.Use that token as password for login with postgresql server.
Creating user
CREATE USER "user1#yourtenant.onmicrosoft.com" IN ROLE azure_ad_user;
Token validation:
Token is signed by Azure AD and has not been tampered with
Token was issued by Azure AD for the tenant associated with the server
Token has not expired
Token is for the Azure Database for PostgreSQL resource (and not another Azure resource)
Reference Link: Use Azure Active Directory - Azure Database for PostgreSQL - Single Server | Microsoft Learn

Using Azure Active Directory is a great idea for the reasons you specified, but unfortunately there's no native support for connection to Azure Active Directory with a local Postgres database (which is essentially what you have with Postgres in a VM). It can be done through the LDAP protocol, however.
FULL DISCLOSURE: I haven't actually done this part myself (or used the steps in the tutorial link), but this is my understanding from working with system operators. Use LDAP to connect to Azure AD then Postgres to connect via LDAP. More information on LDAP authentication in Postgres can be found here.
Bhavani's answer is about Azure Database for PostgreSQL, which is a Azure-native database service. This part I have used and I highly recommend it; you get Azure AD integration and can manage the database performance and connectivity specifically without having to also manage VM performance. Note that their screenshot is for the Flexible Server while the reference link says 'Single Server'; I recommend Flexible Server.

Related

Create Service Principle Connection from Crystal Reports to Azure Synapse Analytics

I have data held in an Azure Data Lake Gen 2 storage container. I would like to provision this data for an existing report authored in Crystal Reports using SQL on demand.
During development I used my own Azure AD login via an ODBC connection on my local machine. I have access to the Synapse environment and also the data lake. This worked successfully and although slow, pulled all information required.
To deploy this solution correctly I need to remove my AAD creds and use a provisioned service principle. I have given the service principle to read from the data lake and also added the principle to the SQL database. Now I am stuck on how to use the principle to connect to Crystal Reports.
I have tried the same authentication type as with my AAD but now I am using a clientID not a email. So when the system prompts for connection details it wants you to sign in and does not accept the clientID.
Does anyone have any suggestions on how to connect to Crystal Reports using this way or any other way?
Also: My org does not want this user or app reg to have restricted permissions so therefore adding them to the RBAC "synapse admin" wont work.
Thanks
Tom
Found a way around this.
Create a service account user on Azure Portal. Head to Synapse Analytics and open blank SQL script to give the user minimal permissions.
*USE [master]*
CREATE LOGIN [serviceaccountsynapseuser#company.onmicrosoft.com] FROM EXTERNAL PROVIDER
GRANT CONNECT ANY DATABASE TO [serviceaccountsynapseuser#company.onmicrosoft.com]
GRANT SELECT ALL USER SECURABLES TO [serviceaccountsynapseuser#company.onmicrosoft.com]
*USE [Reporting] (Serverless SQL DB)*
CREATE USER [serviceaccountsynapseuser#company.onmicrosoft.com] FROM EXTERNAL PROVIDER
ALTER ROLE db_datareader ADD MEMBER [serviceaccountsynapseuser#company.onmicrosoft.com]
Finally head to the storage account and give the user storage blob reader role.

Azure Postgres AD Authentication

We are looking at having multiple databases in a Single Server setting on Azure Database for Postgres SQL.
Per documentation at Microsoft
Customers can manage database permissions using external (Azure AD)
groups.
Azure AD authentication uses PostgreSQL database roles to
authenticate identities at the database level
Support of token-based
authentication for applications connecting to Azure Database for
PostgreSQL
Has anyone tried doing this i.e. databaseA and databaseB with permission to ADGroupA and ADGroupB respectively, under single Azure DB server instance ? Does this give complete data isolation between the different databaseA and databaseB ?
Yes, you can use 2 separate AD groups on 2 different databases for access control on a single server. Two different users will have access to their own database.

Using DB2 on Windows 10 computer with PIN instead of password (Azure AD accounts)

I'm new to DB2 database. I installed DB2 Express-C on my local machine (Windows 10) to play with it, and I created a sample database.
If I understand correctly, DB2 uses Windows accounts for access to database. The installation created a db2admin user, but this one does not have access to the sample database. So my understanding is that my Windows account has access to this database.
So here is the problem. My company uses Azure Active Directory accounts, using Windows Hello to log in - that means, using a PIN to log in instead of a password (meaning my password does not work for login). However, if I want to connect to the database, I need to do this with my account's password. How can I do this? Do I need to create a local account on my machine instead of using Azure account?
If you are able to create a local-user on your workstation, and assign it a password, and ensure it is a member of local groups DB2USERS (and optionally) DB2ADMNS if those local-groups exist, that is likely to be the easiest option.
You may need to have Windows local-administrative rights to be able to perform those actions.
You can then connect to any local Db2-databases with that local-account and its password (regardless of how you sign-in to Windows).
If you allowed Db2-installation to create local user db2admin (and give it a password) then that local-account is also able to connect to local Db2-databases, including the SAMPLE database. So it's unclear why you write that db2admin account does not have access to SAMPLE database. As long as db2admin has a valid password then that account can connect to SAMPLE if all default settings are active.
Db2-LUW is able to integrate with Active-Directory provided pre-requisites are met and special configuration is performed, see documentation. But unless you have special security plugins for Db2, then any account that wants to connect to local Db2-databases will need a password. With special security plugins, other forms of authentication are possible.
Windows 10 Azure account login gives license to only one user to access windows account. If you login with db2admin in your windows you might lost azure account I am facing such issues.
Better to communicate with IT team of your company and ask to provide DB2ADMN right to your Azure login user. DB2 install properly but not able to create database permission/authorization issue coming.

How to use Windows credentials to auto login Azure Active Directory managed applications instead of Single Sign-On

After implementing the integration of Azure Active Directory and some other could applications like Salesforce, and syncing On-Premise Active Directory data by using Azure AD Connect, now I could auto login Salesforce and other cloud apps with Single Sign-On by using the credentials I used for desktop logon, but I still need to key in the credentials once when accessing Azure Applications page (Azure Portal).
Is there any configuration in Azure I can change to support auto-login by using the Windows credentials, so that once I log into my encrypted machine, I could auto login the Azure Applications page (the Azure portal) without key in password again? If Azure does not support no sign-on, what's the best way to do some development to support no sign-on?
Any post or suggestion will be appreciated!
You can always try to authorize users using Graph API. Maybe this will be helpfully: https://github.com/devkimchi/Graph-API-App-Only-Web-API-Sample
I had a similar issue when using ADFS for federated identity and the following article helped, not sure if it applies to Azure AD Connect but it might give you some useful info.
https://support.microsoft.com/en-us/kb/2535227
Thanks thedev and dawidr for your reply.
Finally I found a solution which might achieve the No Sign-On. AAD supports federation authentication, so just try to integrate the ADFS and AAD by using Azure AD Connect to implement the federation identify with On-Premise AD, then no more password key-in when accessing the Azure Applications. I don't have a proxy server with public IP so it's just a solution in my mind without verification.

Best practices for setting up developer access to Azure Resources

I would like to find out what the best practices are for managing developers' access to a sub-set of resources on a client's subscription?
I've searched Google and the Azure documentation looking for definitive answers, but I have yet to come across an article that puts it all together. Because Azure is still developing so rapidly I often find it difficult to determine whether a particular article may still be relevant.
To sum up our situation:
I've been tasked with researching and implementing the Azure infrastructure for a web site our company is developing for a client. At the moment our manager and I have access to the client's entire subscription on the Azure Portal by means of the Service Administrator's credentials, even though we're managing only:
Azure Cloud Service running a Web-Role (2-instances with Production and Staging environments).
Azure SQL Database.
Azure Blob Storage for deployments, diagnostics etc.
We're now moving into a phase where more of the developers in the team will require access to perform maintenance type tasks such as performing a VIP swap, retrieving diagnostic info etc.
What is the proper way to manage developer's access on such a project?
The approach I've taken was to implement Role Based Access Control (https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/)
Move 1, 2, and 3 above into a new Resource Group according to http://blog.kloud.com.au/2015/03/24/moving-resources-between-azure-resource-groups/
Creating a new User Group for our company, say "GroupXYZ".
Adding the "GroupXYZ" to the Contributor role.
Adding the particular developer's company accounts to "GroupXYZ"
Motivation for taking the role-based approach
From what I understand giving everyone access as a Co-Administrator would mean that they have full access to every subscription in the portal.
Account-based authentication is preferable to certificate-based authentication due to the complexity added by managing the certificates.
What caused me to question my approach was the fact that I could not perform a VIP swap against the Cloud Service using PowerShell; I received an error message stating that a certificate could not be found.
Do such role-based accounts only have access to Azure by means of the Resource Manager Commandlets?
I had to switch PowerShell to the Azure Service Manager (ASM) Mode before having access to the Move-AzureDeployment commandlet.
Something else I'm not sure of is whether or not Visual Studio will have access to those resources (in the Resource Group) when using Role Based Access Control.
When you apply RBAC to Azure as you have or just in general, give access to an account via RBAC, then those accounts can only access Azure via the Azure Resource Manager APIs, whether that's PowerShell, REST or VS.
VS 2015 can access Azure resources via RBAC when using the 2.7 SDK. VS 2013 will have support for it soon.