-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Azure Active Directory (aka Microsoft Entra) authentication for Azure SQL #662
Comments
This is a good suggestion and definitely something we should do. However, I do not directly have access to an Azure environment to test and therefore to add the functionality will either need a pull request to add what is needed or sufficient guidance to create a branch with what is needed that can then be tested. So it is not entirely clear whether we can add this by adding additional options to the connect string and a GUI checkbox / CLI option, or whether we need to modify the ODBC interface itself. As an example:
Also, the connections for both Windows and Linux are different (as we don't have the windows authentication option on Linux) so we would need to know whether this is just something that would be added for a Windows client. |
It shouldn't be necessary to modify the ODBC interface. Supporting new values in the connection string
Aside: There is a now a free Azure SQL option for anyone with an Azure subscription. A free Azure account is available as well. This may be suitable for testing. |
You should be able to experiment by directly editing the connect_string proc in the Script Editor in the GUI and provide guidance for the correct connect string that is needed. So I assume we add an "entra" option in addition to Windows and SQL authentication. If so then what we need is something as below and what the correct connect string would look like and also if this is compatible with the azure, encrypt and trust_cert options being appended. If you can provide this adding to GUI and CLI options to generate this connect string will be straightforward. Unfortunately, I don't have the bandwidth for setting up an Azure account at present so guidance on what will work will be key. Text is below, just cut and paste into the GUI and then modify the connect string to what works.
|
OK, this is great feedback. So I am thinking that we add another radio button under Authentication to the existing Windows Authentication and SQL Server Authentication with the heading Entra Authentication and if this radio button is selected then we have an additional field of Entra UID (greyed out if not selected). (This will be added to the XML/SQLite config under an new tag e.g. mssqls_entra_uid) By default, in this field we will have "Interactive" so if this is selected it will complete the connection string with:
if this field is not the string "Interactive" it will use:
where msi-object-id is whatever is entered in the field instead of Interactive. Can this UID have special characters that will need escaping like a password? All the Azure checkbox does is append the string Also, if the UID can be used on Linux we will leave the functionality the same on both OS's. if this sounds like a good approach then we will aim to get this added as the final feature for the next release v4.10 after completing the schema check pull request. |
I think that will work, but I'd like to propose a slight variation:
I suggest calling this I realize that this clashes with your proposal to use What do you think? |
That sounds a good suggestion, so let's go with blank / empty string for interactive |
Understood. One other note is that the Entra auth option should only be available if the ODBC Driver 18 or later is used. With the older drivers, subsets of functionality may not be available. |
Pull request added #665, including details on how to build HammerDB to test this feature to verify it works as intended. |
Is your feature request related to a problem? Please describe.
Azure SQL supports two types of authentication, SQL and Azure Active Directory (aka AAD, aka Microsoft Entra). However, it is possible to disable SQL authentication on an Azure SQL logical server. For compliance and security reasons, this is a common configuration these days. That makes it impossible to run HammerDB against databases on such a server.
Describe the solution you'd like
The MSSQL ODBC driver supports AAD authentication. If, in addition to SQL and Windows, HammerDB adds support for AAD authentication, the problem would be solved. For example, HammerDB could authenticate to an Azure SQL logical server using a managed identity assigned to an Azure VM where HammerDB is running.
Describe alternatives you've considered
Temporarily enabling SQL authentication on the Azure SQL logical server may be a workaround in some cases. However, this is insecure because the password is stored in clear text in the TCL file.
Additional context
Azure SQL AAD documentation.
The text was updated successfully, but these errors were encountered: