SQL Server input plugin - Enable Azure Active Directory (AAD) authentication support

[avinash-nigam]

Required for all PRs:

• Associated README.md updated.
• Has appropriate unit tests.

Associated to feature request - Azure Active Directory (AAD) authentication support in SQL Server input plugin

[telegraf-tiger]

🤝 ✅ CLA has been signed. Thank you!

[masree]

I think we should update SQL Server plugin doc (readme) to indicate AAD support using MSI. Also indicate how an AAD login is created on SQL side using TSQL

[avinash-nigam]

I think we should update SQL Server plugin doc (readme) to indicate AAD support using MSI. Also indicate how an AAD login is created on SQL side using TSQL

Added content to readme file about its usage and instructions

[srebhan]

Please check my comments in the code. @masree any comments?

[masree]

Please check my comments in the code. @masree any comments?

Thank you for the review! Valid comments.

[srebhan]

I have some comments in the code. The most sever is the potential deadlock when an error occurs in getTokenProvider(). Please take a look and fix the leaking lock.

[telegraf-tiger]

Looks like new artifacts were built from this PR. Get them here!

Artifact URLs

• aarch64.rpm

• armel.rpm

• armv6hl.rpm

• i386.rpm

• ppc64le.rpm

• s390x.rpm

• x86_64.rpm

• darwin_amd64.tar.gz

• freebsd_amd64.tar.gz

• freebsd_i386.tar.gz

• linux_amd64.tar.gz

• linux_arm64.tar.gz

• linux_armel.tar.gz

• linux_armhf.tar.gz

• linux_i386.tar.gz

• linux_mips.tar.gz

• linux_mipsel.tar.gz

• linux_ppc64le.tar.gz

• linux_s390x.tar.gz

• static_linux_amd64.tar.gz

• windows_amd64.zip

• windows_i386.zip

• amd64.deb

• arm64.deb

• armel.deb

• armhf.deb

• i386.deb

• mips.deb

• mipsel.deb

• ppc64el.deb

• s390x.deb

[avinash-nigam]

I have some comments in the code. The most sever is the potential deadlock when an error occurs in getTokenProvider(). Please take a look and fix the leaking lock.

Thank you @srebhan for the review, I've addressed your comments.

[srebhan]

Only some small (cosmetic) things left. Looks good so far.

[avinash-nigam]

Only some small (cosmetic) things left. Looks good so far.

Thank you @srebhan for quick review, I've addressed your comments.

[telegraf-tiger]

Looks like new artifacts were built from this PR. Get them here!

Artifact URLs

• aarch64.rpm

• armel.rpm

• armv6hl.rpm

• i386.rpm

• ppc64le.rpm

• s390x.rpm

• x86_64.rpm

• darwin_amd64.tar.gz

• freebsd_amd64.tar.gz

• freebsd_i386.tar.gz

• linux_amd64.tar.gz

• linux_arm64.tar.gz

• linux_armel.tar.gz

• linux_armhf.tar.gz

• linux_i386.tar.gz

• linux_mips.tar.gz

• linux_mipsel.tar.gz

• linux_ppc64le.tar.gz

• linux_s390x.tar.gz

• static_linux_amd64.tar.gz

• windows_amd64.zip

• windows_i386.zip

• amd64.deb

• arm64.deb

• armel.deb

• armhf.deb

• i386.deb

• mips.deb

• mipsel.deb

• ppc64el.deb

• s390x.deb

[srebhan]

Looks good to me.

[sspaink]

How have you been testing it? is there a testing plan you would like to link for us to take a look?
Example -
Scenario1: Telegraf installed on VM and with connection strings using sqlauth only
Scenario2: Telegraf installed on VM with connection strings using sqlauth and aadMSI (multiple connection strings)
and so on

@avinash-nigam I was also wondering about how you tested this? There aren't any unit tests covering this new auth method, what are your thoughts on including tests?

[avinash-nigam]

How have you been testing it? is there a testing plan you would like to link for us to take a look?
Example -
Scenario1: Telegraf installed on VM and with connection strings using sqlauth only
Scenario2: Telegraf installed on VM with connection strings using sqlauth and aadMSI (multiple connection strings)
and so on

@avinash-nigam I was also wondering about how you tested this? There aren't any unit tests covering this new auth method, what are your thoughts on including tests?

@sspaink - This has been manually tested for databases of following variants individually and a combination of multiple variants by deploying the bits on an Ubuntu VM and settings connection strings to use SqlAuth and AADAuth (both as supported cases and not supported cases) -

Azure SQL Database - S1, S2 (AAD supported)
Azure SQL Elastic Pool Database - S0, S2 (AAD supported)
SQL VM - 2012, 2014, 2016, 2019 (AAD not supported)
SQL AG (HADR) - 2019 (AAD not supported)

Currently this plugin does not support integration testing, so there are no tests for authentication yet. Once we build a mechanism to write integration tests, then we would be able to add tests for the same.

[cerilewis]

This change appears to break Windows Integrated authentication where no User ID or Password is given in the connection string. If I run telegraf version 1.19.0-rc0 with configuration that works with 1.18.3 I get the following error:
2021-06-14T09:35:28Z E! [inputs.sqlserver] Error in plugin: database connection failed : AAD auth is not supported for SQL VM i.e. DatabaseType=SQLServer

This appears to come from the check for Password attribute being used to determine whether to user SQL Server authentication or AAD.

[srebhan]

@cerilewis thanks for reporting this problem! Can you please open an issue and link to this PR. I fear that we need to add an option to specify which auth-scheme to use as the magic here will likely not be able to detect it... :-(

[cerilewis]

@srebhan I have created the issue #9362 but either can't or don't know how to link this PR to it correctly.

[srebhan]

You already did by mentioning this PR in the issue. :-) Thank you for reporting.

[arkapravasinha]

can anyone please share any example how to enable AAD?

[srebhan]

@arkapravasinha please do not post support questions to old PRs! Nobody will notice them besides me. ;-) Better use the forum or Slack!

This being said, how about reading the docs and use auth_method = "aad"?