几天来,我一直在尝试为 Azure Synapse Serverless SQL 池建立端到端 AD 身份验证访问,取得了一些进展,但直到今天还没有端到端的可行解决方案。
我尝试使用其域为 AD 安全组创建 SQL Server 登录,例如
CREATE LOGIN [UG-DataAccess-Confidential-RO@domain.com] FROM EXTERNAL PROVIDER;
并收到错误
主体 'UG-DataAccess-Confidential-RO@domain.com' 不能是 找到或不支持此主体类型。
【问题讨论】:
标签: sql-server dns active-directory azure-synapse group
今天有幸碰到【这篇有用的文章】:https://www.mssqltips.com/sqlservertip/6702/sql-server-windows-authentication-with-users-and-groups/
这导致以下配置与 Azure Synapse SQL 池配合得很好,我更普遍地想象 SQL Server:
AD 安全组:UG-DataAccess-Confidential-RO
Use master; go -- Step 1: Create a login for the desired security group that should align with the -- sensitivity of the data being accessed -- -- NOTE: logins to SQL Server that use AD security groups only need the -- DISPLAY NAME of the group and should not contain the domain. I assume -- that the domain is left off since authentication is against user accounts -- while authorization checks group membership. Since authentication occurs first, -- the domain is already known by the time authorization happens. CREATE LOGIN [UG-DataAccess-Confidential-RO] FROM EXTERNAL PROVIDER; GO -- Step 2: Create a custom server role in the master DB (standard roles cannot be modified with -- Azure Serverless SQL) and grant the required SQL privileges to it in order to ensure that -- users who are members of the security group will have these privileges once the -- security group has been added as a member of this new role in SQL Server CREATE SERVER ROLE [custom_role_reader] GO -- Note: these grants are too liberal and need to be reduced further for tighter security GRANT CONNECT ANY DATABASE TO [custom_role_reader] GRANT CONNECT SQL TO [custom_role_reader] GRANT VIEW ANY DATABASE TO [custom_role_reader] GRANT VIEW ANY DEFINITION TO [custom_role_reader] GRANT VIEW SERVER STATE TO [custom_role_reader] GO -- Step 3. Add the security group to the new server role to enable login for ANY users who are -- members of the AD security group ALTER SERVER ROLE [custom_role_reader] ADD MEMBER [UG-DataAccess-Confidential-RO] GO -- Step 4. Change to the database of interest - in this example, we use a demo database use demoDB; GO -- Step 5. Create a demo database user for the demo database that maps to the SQL login associated with the AD security group drop user [SqlReader] GO CREATE USER [SqlReader] FOR LOGIN [UG-DataAccess-Confidential-RO] GO -- Step 6. Create a demo database role and grant the required minimum privileges to it. -- Then add the new demo db user as a member of the new demo db database role drop role [db_sql_reader] go CREATE ROLE [db_sql_reader] GO GRANT SELECT ON SCHEMA::curated TO [db_sql_reader] GO alter role [db_sql_reader] add member [SqlReader] GO -- Step 7. FOR AZURE SYNAPSE ANALYTICS ONLY -- Ensure Gen2 Storage of data lake ACLs provide read access to the AD security group for all files that are backing external table definitions. Ensure the security group has read/execute on all Gen2 directories in the data lake from the container all the way down to the files in the data lake, e.g. parquet, CSVs, etc. -- -- Users who are members of the AD security group should now be able to login -- to serverless SQL and execute queries against the tables in the demo DB请注意,此解决方案不需要 AD 安全组成员的任何特殊 Azure RBAC 角色,只需要在数据湖中进行适当的 ACL 管理和上述 SQL 权限。这使我们不必处理创建范围数据库凭据,并且它还与我从 MS 文档中得知的 Synapse 的 MS 安全最佳实践保持一致。
【讨论】: