Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for CREATE AADUSER to mysql_user resource #77

Merged
merged 5 commits into from
Apr 17, 2023
Merged

Add support for CREATE AADUSER to mysql_user resource #77

merged 5 commits into from
Apr 17, 2023

Conversation

kratkyzobak
Copy link

Supports creating users authorized by AzureAD tokens instead of passwords https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-azure-ad-authentication

Although aad_auth is MySQL plugin and there is theoretical possibility to use CREATE USER ... IDENTIFIED WITH 'aad_auth' AS 'AADUser:objectid:upn:objectname' , this is currently not documented solution. As aad_auth is in public preview only, there is no guarantee this command would work.

Therefore I tried to follow documentation and implement Microsoft specific CREATE AADUSER command as much as possible complying with documentation.

What this PR can do:

resource mysql_user {
    user = "someuser" # name used to login to MySQL - in Microsoft's documentation it's alias (CREATE AADUSER x AS alias)
    auth_plugin = "aad_auth"
    aad_identity = "some.user@exampe.onmicrosoft.com"
}

Leads to CREATE AADUSER 'some.user@exampe.onmicrosoft.com'@'localhost' AS 'someuser'

  • Using @hostname in this statement is undocumented by Microsoft, but works. Microsoft defualts it to % when ommited and it's up to everyone if he will try to use it another way
  • If someone needs to use user without alias, he has to set user to equal aad_identity what is Microsoft's defaults
  • Instead of user principal name in aad_identity, there is allowed group name, which then works same as for user principals.
  • To work for Service principal, there has to be it's Client ID in aad_identity which then leads to query CREATE AADUSER alias@hostname IDENTIFIED BY clientid which is stupid, but it's according to something i found on Microsoft's support.
  • Nothing stops user to use object id instead of upn's or group names, but this would break import/refresh of this users as using object id for theese identity types are not suported by Microsoft's documentation

Only thing, where I depend on authentication data is in import, where I parse it back to aad_identity

I did not wrote any tests of auth_plugin = aad_auth since I don't know if there is any possibility to run them in pipeline then as CREATE AADUSER is supported only in Azure managed servers.

I'm aware, that code is not nice, I tried above explain why. If you think, it can be improoved, please show me direction and I will try to do my best.

petoju
petoju requested changes Apr 12, 2023
View reviewed changes
mysql/resource_user.go Show resolved Hide resolved
mysql/resource_user.go Show resolved Hide resolved
mysql/resource_user.go Show resolved Hide resolved
mysql/resource_user.go Outdated Show resolved Hide resolved
petoju
petoju approved these changes Apr 17, 2023
View reviewed changes
Copy link
Owner

@petoju petoju left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@petoju petoju merged commit 7efb230 into petoju:master Apr 17, 2023
@petoju
Copy link
Owner

petoju commented Apr 17, 2023

Released in v3.0.35

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@petoju petoju petoju approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kratkyzobak @petoju