Azure active directory 仅使用AD管理员创建Azure SQL DB
我正在将Azure SQL DB转换为使用Active Directory身份验证 我已将此代码段添加到我的ARM模板中,该模板正确地将管理员设置为广告组。到目前为止,一切都很好Azure active directory 仅使用AD管理员创建Azure SQL DB,azure-active-directory,azure-sql-database,arm-template,Azure Active Directory,Azure Sql Database,Arm Template,我正在将Azure SQL DB转换为使用Active Directory身份验证 我已将此代码段添加到我的ARM模板中,该模板正确地将管理员设置为广告组。到目前为止,一切都很好 { "type": "administrators", "name": "activeDirectory", "apiVersion": "2014-04-01-preview", "location": "[resourceGroup().location]", "properties": {
{
"type": "administrators",
"name": "activeDirectory",
"apiVersion": "2014-04-01-preview",
"location": "[resourceGroup().location]",
"properties": {
"administratorType": "ActiveDirectory",
"login": "[parameters('sql_ad_admin_username')]",
"sid": "[parameters('sql_ad_admin_objectid')]",
"tenantId": "[parameters('azure_ad_directory_id')]"
},
"dependsOn": [
"[parameters('sql_db_name')]"
]
},
现在我已经让它工作了,我想从ARM模板中删除旧的SQL Server Auth Administrator详细信息(我想将模板存储在源代码管理中,因此显然不应该在其中包含任何凭据)
因此,我尝试从文件中删除这些administratorLogin
和administratorLoginPassword
条目(毕竟它们不再需要了,我有了一个广告管理员):
但是,删除这些内容后,运行模板时出现以下错误:
Invalid value given for parameter Login. Specify a valid parameter value.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
},
"sqlServerName": {
"type": "string",
"metadata": {
"description": "The name of the SQL Server."
}
},
"sqlServerAdministratorName": {
"type": "string",
"metadata": {
"description": "The name for SQL Server administrator."
},
"defaultValue": "[uniqueString(resourceGroup().id, '{24CF6AE7-F4CA-44D7-8FBD-B7F85C0BDDF6}')]"
},
"sqlServerAdministratorPassword": {
"type": "securestring",
"metadata": {
"description": "The password for SQL Server administrator."
},
"defaultValue": "[concat('C3@TnTAjqVnr', uniqueString(resourceGroup().id, newGuid()), toUpper(uniqueString(resourceGroup().id, newGuid())))]"
},
"sqlServerAdministratorADName": {
"type": "string",
"metadata": {
"description": "The name of the AD user/group for SQL Server administrator."
}
},
"sqlServerAdministratorADSid": {
"type": "string",
"metadata": {
"description": "The SID of the AD user/group for SQL Server administrator."
}
},
"transparentDataEncryption": {
"type": "string",
"allowedValues": [
"Enabled",
"Disabled"
],
"defaultValue": "Disabled",
"metadata": {
"description": "Enable or disable Transparent Data Encryption (TDE) for the database."
}
},
"databaseName": {
"type": "string",
"metadata": {
"description": "The name for the database."
}
},
"databaseCollation": {
"type": "string",
"defaultValue": "SQL_Latin1_General_CP1_CI_AS",
"metadata": {
"description": "Database collation"
}
},
"databaseServiceObjectiveName": {
"type": "string",
"defaultValue": "Basic",
"metadata": {
"description": "The name of the configured service level objective of the database."
}
},
"sqlTier": {
"type": "string",
"defaultValue": "Standard"
},
"sqlSkuName": {
"type": "string",
"defaultValue": "S1"
}
},
"resources": [
{
"name": "[parameters('sqlServerName')]",
"type": "Microsoft.Sql/servers",
"apiVersion": "2019-06-01-preview",
"location": "[parameters('location')]",
"properties": {
"administratorLogin": "[parameters('sqlServerAdministratorName')]",
"administratorLoginPassword": "[string(parameters('sqlServerAdministratorPassword'))]"
},
"tags": {
"displayName": "SqlServer"
},
"resources": [
{
"name": "[concat(parameters('sqlServerName'), '/', 'ActiveDirectory')]",
"type": "Microsoft.Sql/servers/administrators",
"apiVersion": "2019-06-01-preview",
"properties": {
"administratorType": "ActiveDirectory",
"login": "[parameters('sqlServerAdministratorADName')]",
"sid": "[parameters('sqlServerAdministratorADSid')]",
"tenantId": "[subscription().tenantId]"
},
"dependsOn": [
"[parameters('sqlServerName')]"
]
},
{
"name": "[concat(parameters('sqlServerName'), '/', parameters('databaseName'))]",
"type": "Microsoft.Sql/servers/databases",
"apiVersion": "2019-06-01-preview",
"location": "[parameters('location')]",
"tags": {
"displayName": "Database"
},
"properties": {
"collation": "[parameters('databaseCollation')]",
"requestedServiceObjectiveName": "[parameters('databaseServiceObjectiveName')]"
},
"sku": {
"name": "[parameters('sqlSkuName')]",
"tier": "[parameters('sqlTier')]"
},
"dependsOn": [
"[parameters('sqlServerName')]"
],
"resources": [
{
"comments": "Transparent Data Encryption",
"name": "current",
"type": "transparentDataEncryption",
"apiVersion": "2014-04-01",
"properties": {
"status": "[parameters('transparentDataEncryption')]"
},
"dependsOn": [
"[parameters('databaseName')]"
]
}
]
}
]
}
],
"outputs": {
"sqlServerFqdn": {
"type": "string",
"value": "[reference(resourceId('Microsoft.Sql/servers/', parameters('sqlServerName')),'2015-05-01-preview').fullyQualifiedDomainName]"
},
"databaseName": {
"type": "string",
"value": "[parameters('databaseName')]"
}
}
}
现在我有点糊涂了。为什么我不能摆脱这些?我现在使用的AD身份验证比SQL身份验证更安全,但它似乎迫使我设置了一个不太安全的用户名/密码管理员登录?如何禁用此功能?对于Azure SQL数据库,您无法删除初始SQL管理员登录名和密码。这始终是必需的,但是,与为AD管理员参数化“login”、“sid”和“tenantid”的方式相同,您可以对模板中的“administratorLogin”和“administratorLoginPassword”值执行相同的操作
管理结构如图所示根据我的研究,当我们使用ARM模板创建Azure SQL server时,我们无法不提供administratorLogin和administratorLoginPassword。有关更多详细信息,请参阅
我最终选择的解决方案是: 在模板中参数化密码,然后配置参数文件以从密钥库获取密码:
"sql_admin_password": {
"reference": {
"keyVault": {
"id": "/subscriptions/XXXXXX-XXXXXXXXX-XXXXXXXX/resourcegroups/MY_RESOURCE_GROUP/providers/Microsoft.KeyVault/vaults/MY_KEY_VAULT_NAME"
},
"secretName": "SQLDatabaseAdminPassword"
}
}
这避免了在源代码管理中或CI系统中的任何位置都需要密码,而这是将密码作为显式参数导入的必要条件
信用证:我也找不到摆脱sql管理员凭据的解决方案。 在的“apiVersion”中添加了一个名为“azureADOnlyAuthentication”的参数:“2019-06-01-preview”,但在我尝试将任何值放入其中的所有时间,db部署都因超时而失败 我喜欢Vivien Chevallier的解决方案——为Sql管理员生成登录名和密码。我根据评论稍微修改了它,还使用了随机生成的密码作为前缀。其思想是在使用AD管理员凭据时省略sql管理员凭据参数,因此会生成sql管理员凭据,密码不会存储在任何位置,因此无法检索它。模板:
Invalid value given for parameter Login. Specify a valid parameter value.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
},
"sqlServerName": {
"type": "string",
"metadata": {
"description": "The name of the SQL Server."
}
},
"sqlServerAdministratorName": {
"type": "string",
"metadata": {
"description": "The name for SQL Server administrator."
},
"defaultValue": "[uniqueString(resourceGroup().id, '{24CF6AE7-F4CA-44D7-8FBD-B7F85C0BDDF6}')]"
},
"sqlServerAdministratorPassword": {
"type": "securestring",
"metadata": {
"description": "The password for SQL Server administrator."
},
"defaultValue": "[concat('C3@TnTAjqVnr', uniqueString(resourceGroup().id, newGuid()), toUpper(uniqueString(resourceGroup().id, newGuid())))]"
},
"sqlServerAdministratorADName": {
"type": "string",
"metadata": {
"description": "The name of the AD user/group for SQL Server administrator."
}
},
"sqlServerAdministratorADSid": {
"type": "string",
"metadata": {
"description": "The SID of the AD user/group for SQL Server administrator."
}
},
"transparentDataEncryption": {
"type": "string",
"allowedValues": [
"Enabled",
"Disabled"
],
"defaultValue": "Disabled",
"metadata": {
"description": "Enable or disable Transparent Data Encryption (TDE) for the database."
}
},
"databaseName": {
"type": "string",
"metadata": {
"description": "The name for the database."
}
},
"databaseCollation": {
"type": "string",
"defaultValue": "SQL_Latin1_General_CP1_CI_AS",
"metadata": {
"description": "Database collation"
}
},
"databaseServiceObjectiveName": {
"type": "string",
"defaultValue": "Basic",
"metadata": {
"description": "The name of the configured service level objective of the database."
}
},
"sqlTier": {
"type": "string",
"defaultValue": "Standard"
},
"sqlSkuName": {
"type": "string",
"defaultValue": "S1"
}
},
"resources": [
{
"name": "[parameters('sqlServerName')]",
"type": "Microsoft.Sql/servers",
"apiVersion": "2019-06-01-preview",
"location": "[parameters('location')]",
"properties": {
"administratorLogin": "[parameters('sqlServerAdministratorName')]",
"administratorLoginPassword": "[string(parameters('sqlServerAdministratorPassword'))]"
},
"tags": {
"displayName": "SqlServer"
},
"resources": [
{
"name": "[concat(parameters('sqlServerName'), '/', 'ActiveDirectory')]",
"type": "Microsoft.Sql/servers/administrators",
"apiVersion": "2019-06-01-preview",
"properties": {
"administratorType": "ActiveDirectory",
"login": "[parameters('sqlServerAdministratorADName')]",
"sid": "[parameters('sqlServerAdministratorADSid')]",
"tenantId": "[subscription().tenantId]"
},
"dependsOn": [
"[parameters('sqlServerName')]"
]
},
{
"name": "[concat(parameters('sqlServerName'), '/', parameters('databaseName'))]",
"type": "Microsoft.Sql/servers/databases",
"apiVersion": "2019-06-01-preview",
"location": "[parameters('location')]",
"tags": {
"displayName": "Database"
},
"properties": {
"collation": "[parameters('databaseCollation')]",
"requestedServiceObjectiveName": "[parameters('databaseServiceObjectiveName')]"
},
"sku": {
"name": "[parameters('sqlSkuName')]",
"tier": "[parameters('sqlTier')]"
},
"dependsOn": [
"[parameters('sqlServerName')]"
],
"resources": [
{
"comments": "Transparent Data Encryption",
"name": "current",
"type": "transparentDataEncryption",
"apiVersion": "2014-04-01",
"properties": {
"status": "[parameters('transparentDataEncryption')]"
},
"dependsOn": [
"[parameters('databaseName')]"
]
}
]
}
]
}
],
"outputs": {
"sqlServerFqdn": {
"type": "string",
"value": "[reference(resourceId('Microsoft.Sql/servers/', parameters('sqlServerName')),'2015-05-01-preview').fullyQualifiedDomainName]"
},
"databaseName": {
"type": "string",
"value": "[parameters('databaseName')]"
}
}
}
生成的参数示例:
sqlServerAdministratorName ka7bwq3hord7a
sqlServerAdministratorPassword C3@TnTAjqVnrqquzzkrgjp4tuLS645X4JUANDU
羞愧。。。我也希望将生产参数文件保存在源代码管理中,但我想这意味着不可能将其作为单独的文件保存在源代码管理中。请参阅右图,但这不意味着sql管理员密码在源代码管理中公开吗?参数文件可以包含除密码之外的所有内容,然后在部署时与参数文件中的其他参数一起提供,即,可以在参数文件和命令行参数之间混合和匹配。