Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Azure Entra/AD Authentication to PostgreSQL Plugin #76638

Open
Hirohqv opened this issue Oct 16, 2023 · 4 comments
Open

Add Azure Entra/AD Authentication to PostgreSQL Plugin #76638

Hirohqv opened this issue Oct 16, 2023 · 4 comments
Labels
datasource/Postgres type/feature-request

Comments

@Hirohqv
Copy link

Hirohqv commented Oct 16, 2023
edited

Why is this needed:
I'm currently working with a customer that mandates PostgreSQL database access via Azure AD Authentication. However, the current PostgreSQL plugin supports only username and password-based authentication.

What would you like to be added:
I'm requesting an enhancement that would enable the PostgreSQL Plugin to support Azure AD Authentication for logging in.

Who is this feature for?
This feature is primarily intended for Grafana users who need to access PostgreSQL data sources using Azure AD Authentication.
@jarpoole
Copy link

jarpoole commented Apr 28, 2024
edited

@gabor curious if you guys would accept a PR implementing an approach similar to the one taken in the Postgres terraform provider (relevant docs here)? Specifically, Entra authentication on Azure does not require any fundamental change to the password authentication flow, but instead we just need to call an endpoint to get a token first which we then use as a normal password when connecting to postgres.

Taken from terraform-provider-postgresql:

func acquireAzureOauthToken(tenantId string) (string, error) {
	credential, err := azidentity.NewDefaultAzureCredential(
		&azidentity.DefaultAzureCredentialOptions{TenantID: tenantId})
	if err != nil {
		return "", err
	}
	token, err := credential.GetToken(context.Background(), policy.TokenRequestOptions{
		Scopes:   []string{"https://ossrdbms-aad.database.windows.net/.default"},
		TenantID: tenantId,
	})
	if err != nil {
		return "", err
	}
	return token.Token, nil
}

Ideally I'd adjust the use of azidentity.NewDefaultAzureCredential such that both managed identities (for people running inside Azure) and service principal authentication work but the core functionality is here.

Might also be worth looking at how azure-data-explorer-datasource handles things...

@gabor
Copy link
Contributor

gabor commented May 3, 2024

hi @jarpoole , thanks for the extra info 👍 . unfortunately, currently we are not planning to add this authentication method to the postgres datasource plugin.

@jarpoole
Copy link

jarpoole commented May 3, 2024

That is unfortunate but thank you for taking the time to respond! I was moreso hoping you'd accept a community contribution but didn't know what the vibe was for this project.

@gabor
Copy link
Contributor

gabor commented May 10, 2024

@jarpoole i understand. in general community contributions are very welcome, but unless they are trivial small changes like bugfixes, it's best to ask before, because sometimes our plans do not align with the contribution. (I know you asked, thanks for that 👍 ).

in this case, adding azure-ad-auth would mean that we take on also the responsibility to test this, and keep testing it in the future, also, what does this mean for mysql and other datasource plugins, and so on. there are simply a bunch of extra work involved here, and right now we are not planning to handle that. sorry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
datasource/Postgres type/feature-request
Projects
OSS Big Tent
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gabor @Hirohqv @zoltanbedi @jarpoole