We are looking at having multiple databases in a Single Server setting on Azure Database for Postgres SQL.
Per documentation at Microsoft
Customers can manage database permissions using external (Azure AD)
groups.
Azure AD authentication uses PostgreSQL database roles to
authenticate identities at the database level
Support of token-based
authentication for applications connecting to Azure Database for
PostgreSQL
Has anyone tried doing this i.e. databaseA and databaseB with permission to ADGroupA and ADGroupB respectively, under single Azure DB server instance ? Does this give complete data isolation between the different databaseA and databaseB ?
Yes, you can use 2 separate AD groups on 2 different databases for access control on a single server. Two different users will have access to their own database.
Related
In our organization, we are having common credentials to access the postgres databases, which every developers know, as it is hardcoded in application's connection string. Due to which, whenever a DML/DDL changes happens on databases, it is hard for us trace, as the developers use to make changes on their own. We can't have individual logins for each developers which is tedious to manage.
Note: Also, we can't ensure that the credentials won't be shared with the peer developers.
To get rid of this, we thought of integrating Postgres with Azure Active Directory, for Authentication.
If we can map Azure AD group/users to Postgres, security will be tightened as well as maintenance overhead will also reduce.
But, I couldn't find a article to implement this, since most of the articles says the integration for Azure managed postgresql with Azure AD, and not for the postgres running on VMs.
Can anyone guide me or share a detailed article to implement the Azure AD integration for Postgres running on a VM(IaaS)
In Azure portal go to the postgresql database select Authentication and set active directory admin.
You can specify an Azure AD group instead of an individual user to have multiple administrators.
Connecting to postgresql :
1.Login to Azure subscription.
2.Get the access token of the postgresql serverusing below command:
az account get-access-token --resource https://ossrdbms-aad.database.windows.net
3.Use that token as password for login with postgresql server.
Creating user
CREATE USER "user1#yourtenant.onmicrosoft.com" IN ROLE azure_ad_user;
Token validation:
Token is signed by Azure AD and has not been tampered with
Token was issued by Azure AD for the tenant associated with the server
Token has not expired
Token is for the Azure Database for PostgreSQL resource (and not another Azure resource)
Reference Link: Use Azure Active Directory - Azure Database for PostgreSQL - Single Server | Microsoft Learn
Using Azure Active Directory is a great idea for the reasons you specified, but unfortunately there's no native support for connection to Azure Active Directory with a local Postgres database (which is essentially what you have with Postgres in a VM). It can be done through the LDAP protocol, however.
FULL DISCLOSURE: I haven't actually done this part myself (or used the steps in the tutorial link), but this is my understanding from working with system operators. Use LDAP to connect to Azure AD then Postgres to connect via LDAP. More information on LDAP authentication in Postgres can be found here.
Bhavani's answer is about Azure Database for PostgreSQL, which is a Azure-native database service. This part I have used and I highly recommend it; you get Azure AD integration and can manage the database performance and connectivity specifically without having to also manage VM performance. Note that their screenshot is for the Flexible Server while the reference link says 'Single Server'; I recommend Flexible Server.
I have data held in an Azure Data Lake Gen 2 storage container. I would like to provision this data for an existing report authored in Crystal Reports using SQL on demand.
During development I used my own Azure AD login via an ODBC connection on my local machine. I have access to the Synapse environment and also the data lake. This worked successfully and although slow, pulled all information required.
To deploy this solution correctly I need to remove my AAD creds and use a provisioned service principle. I have given the service principle to read from the data lake and also added the principle to the SQL database. Now I am stuck on how to use the principle to connect to Crystal Reports.
I have tried the same authentication type as with my AAD but now I am using a clientID not a email. So when the system prompts for connection details it wants you to sign in and does not accept the clientID.
Does anyone have any suggestions on how to connect to Crystal Reports using this way or any other way?
Also: My org does not want this user or app reg to have restricted permissions so therefore adding them to the RBAC "synapse admin" wont work.
Thanks
Tom
Found a way around this.
Create a service account user on Azure Portal. Head to Synapse Analytics and open blank SQL script to give the user minimal permissions.
*USE [master]*
CREATE LOGIN [serviceaccountsynapseuser#company.onmicrosoft.com] FROM EXTERNAL PROVIDER
GRANT CONNECT ANY DATABASE TO [serviceaccountsynapseuser#company.onmicrosoft.com]
GRANT SELECT ALL USER SECURABLES TO [serviceaccountsynapseuser#company.onmicrosoft.com]
*USE [Reporting] (Serverless SQL DB)*
CREATE USER [serviceaccountsynapseuser#company.onmicrosoft.com] FROM EXTERNAL PROVIDER
ALTER ROLE db_datareader ADD MEMBER [serviceaccountsynapseuser#company.onmicrosoft.com]
Finally head to the storage account and give the user storage blob reader role.
I'm migrating an on-premise application (basically a database + a dashboard) to Azure. In my database on-premise, I had set up some access rules and RSL (Row Level Security) for different user profiles. Those were done at the level of my database which is postgres.
Now on the plateforme of Azure, I have to add an intermediare layer, Azure Analysis service between my postgres and dashboard. I want to know how to ensure my database access management & RLS with the addition of Azure Analysis service.
Do I need to replicate it in Analysis Service? Or it will still work and I do nothing with it.
Thanks
As I understand in the intial design you did not have AAS and the RLS was at the database level . Once you moved to Azure you introduced the AAS ( may be to boost performance) , to me it should work fine . We will have to think how will you refresh the data from the database to AAS and for that you may have add an user .
I want to Migrate Azure AD b2c users to Postgres database. Is this scenario possible. All i see from documentation isuser migration from SQL database to Azure AD B2C
To be curious, why do you want to migrate away from Azure AD for storing of users?
To answer your question, yes it is possible. You will need to write custom solution for this.
Use AAD Sample to get users from AAD and create them in any database of your choice
Write a custom policy solution to read data from a service backed by PostGre database and return appropriate claims. You will need to use Restful Provider service feature.
Connections using trusted authentication can be established by passing isc_dpb_trusted_auth and isc_spb_trusted_auth in the respective parameter blocks when using Firebird 2.1.
The connected user will have administrative rights depending on their being member of a Windows group with administrative rights.
For Firebird 2.5 the role "rdb$admin" can be specified to connect with administrative rights to the database, provided the user has been granted permission to that role.
I want to establish a service connection with administrative rights, using that role, but haven't found a way yet to do it. The connection is made but I can't for example list database users, which I can when connecting as SYSDBA.
What combination of isc_spb_trusted_auth, isc_spb_trusted_role and isc_spb_sql_role_name or other parameter blocks do I need, and what parameters do I need to pass?
There is a difference between a role and a user regarding where appropriate data are stored. The former is stored inside database in the RDB$ROLES table. The latter is stored in a special separate database file named security2.fdb, which usually lays in a Firebird directory.
When attaching to a service manager through Firebird API particular database is not known yet. Only server name is specified. Because of this you can not use roles. At this point the server simply doesn't know from what database to read role credentials.
The only service accepting role parameter in FB2.5 is users' management - that's how services work since interbase 6. Ability to use it for other services will be present starting with FB3.