Managed Identity dev experience improvements #1936
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…mssql-jdbc into jdbc-msi-improvements
lilgreenbird
changed the title
David-Engel
reviewed
Oct 24, 2022
There was a problem hiding this comment.
There is one other change we need to make to align the JDBC driver with other drivers. We should deprecate the msiClientId get/set methods (but they should continue to work. Comment: "Use the getUser/setUser method instead.") This will include changing the Authentication=ActiveDirectoryMSI validation to allow specifying User in the connection string. If both msiClientId and User are specified, User should override msiClientId.
src/main/java/com/microsoft/sqlserver/jdbc/ISQLServerConnection.java
Outdated
Show resolved
Hide resolved
src/main/java/com/microsoft/sqlserver/jdbc/ISQLServerConnection.java
Outdated
Show resolved
Hide resolved
src/main/java/com/microsoft/sqlserver/jdbc/ISQLServerDataSource.java
Outdated
Show resolved
Hide resolved
src/main/java/com/microsoft/sqlserver/jdbc/ISQLServerDataSource.java
Outdated
Show resolved
Hide resolved
src/main/java/com/microsoft/sqlserver/jdbc/ISQLServerConnection.java
Outdated
Show resolved
Hide resolved
src/main/java/com/microsoft/sqlserver/jdbc/SQLServerDataSource.java
Outdated
Show resolved
Hide resolved
src/main/java/com/microsoft/sqlserver/jdbc/SQLServerDataSource.java
Outdated
Show resolved
Hide resolved
src/main/java/com/microsoft/sqlserver/jdbc/SQLServerDataSource.java
Outdated
Show resolved
Hide resolved
src/main/java/com/microsoft/sqlserver/jdbc/SQLServerSecurityUtility.java
Outdated
Show resolved
Hide resolved
src/main/java/com/microsoft/sqlserver/jdbc/SQLServerSecurityUtility.java
Outdated
Show resolved
Hide resolved
…user property for managed identity client ID
…mssql-jdbc into jdbc-msi-improvements
src/main/java/com/microsoft/sqlserver/jdbc/SQLServerSecurityUtility.java
Outdated
Show resolved
Hide resolved
lilgreenbird
suggested changes
Oct 24, 2022
| boolean isAzureFunction = null != identityEndpoint && !identityEndpoint.isEmpty() && null != identityHeader | ||
| && !identityHeader.isEmpty(); | ||
| throw new SQLServerException(SQLServerException | ||
| .getErrString("R_ManagedIdentityTokenAcquisitionFail"), null); |
There was a problem hiding this comment.
can we add more info to the error message to make it easier to debug when there's a failure
There was a problem hiding this comment.
Similarly, do we have more info if the Optional task fails or doesn't return a result? I don't know the API well...
There was a problem hiding this comment.
What additional info did you have in mind? I'll amend the error message to the following to be more clear as to the reason it is null.
Failed to acquire managed identity token. Request for the token succeeded, but no token was returned. The token is null.
There was a problem hiding this comment.
Not sure. From the sounds of it, we don't have anything more available. The current iteration looks good.
src/main/java/com/microsoft/sqlserver/jdbc/SQLServerSecurityUtility.java
Outdated
Show resolved
Hide resolved
src/main/java/com/microsoft/sqlserver/jdbc/SQLServerConnection.java
Outdated
Show resolved
Hide resolved
David-Engel
reviewed
Oct 24, 2022
src/main/java/com/microsoft/sqlserver/jdbc/ISQLServerConnection.java
Outdated
Show resolved
Hide resolved
src/main/java/com/microsoft/sqlserver/jdbc/ISQLServerDataSource.java
Outdated
Show resolved
Hide resolved
src/main/java/com/microsoft/sqlserver/jdbc/ISQLServerDataSource.java
Outdated
Show resolved
Hide resolved
src/main/java/com/microsoft/sqlserver/jdbc/ISQLServerDataSource.java
Outdated
Show resolved
Hide resolved
David-Engel
reviewed
Oct 25, 2022
src/main/java/com/microsoft/sqlserver/jdbc/SQLServerDataSource.java
Outdated
Show resolved
Hide resolved
src/main/java/com/microsoft/sqlserver/jdbc/ISQLServerDataSource.java
Outdated
Show resolved
Hide resolved
src/main/java/com/microsoft/sqlserver/jdbc/SQLServerDataSource.java
Outdated
Show resolved
Hide resolved
| boolean isAzureFunction = null != identityEndpoint && !identityEndpoint.isEmpty() && null != identityHeader | ||
| && !identityHeader.isEmpty(); | ||
| throw new SQLServerException(SQLServerException | ||
| .getErrString("R_ManagedIdentityTokenAcquisitionFail"), null); |
There was a problem hiding this comment.
Similarly, do we have more info if the Optional task fails or doesn't return a result? I don't know the API well...
src/main/java/com/microsoft/sqlserver/jdbc/SQLServerSecurityUtility.java
Outdated
Show resolved
Hide resolved
|
@David-Engel For some reason there's no "reply" button for your comment. I'll just quote you and reply here.
If the Optional task fails, it will throw its own error. The resulting exception, since we're using the Azure Identity credentials, will be a A
Howerver, there isn't any more available information other than a null token if the Optional succeeds (eg. request for token went through but a null token was returned). In this case, as you suggested (since we shouldn't return null), we'll throw our own error. |
David-Engel
approved these changes
Oct 25, 2022
Jeffery-Wasty
approved these changes
Oct 26, 2022
lilgreenbird
approved these changes
Oct 26, 2022
Jeffery-Wasty
added a commit
that referenced
this pull request
Jan 28, 2025
Signed-off-by: Jeff Wasty <[email protected]>
Jeffery-Wasty
added a commit
that referenced
this pull request
Mar 19, 2025
…date (#2602) * Update build.gradle * Update pom.xml * Update pom.xml * Update pom.xml * Update pom.xml * Update pom.xml * Update pom.xml * Update pom.xml * ManagedIdentity I Signed-off-by: Jeff Wasty <[email protected]> * Updates for running tests with managed identity (#2416) Signed-off-by: Jeff Wasty <[email protected]> # Conflicts: # src/test/java/com/microsoft/sqlserver/jdbc/SQLServerConnectionTest.java # src/test/java/com/microsoft/sqlserver/jdbc/TestResource.java # src/test/java/com/microsoft/sqlserver/jdbc/TestUtils.java # src/test/java/com/microsoft/sqlserver/jdbc/connection/TimeoutTest.java # src/test/java/com/microsoft/sqlserver/jdbc/databasemetadata/DatabaseMetaDataTest.java # src/test/java/com/microsoft/sqlserver/jdbc/unit/statement/BatchExecutionTest.java * Delete mistakenly added files * Delete mistakenly added files * Revert "Delete mistakenly added files" This reverts commit 19abc22. * Revert "Delete mistakenly added files" This reverts commit 04f8c82. * Revert "Updates for running tests with managed identity (#2416)" This reverts commit b727a96. * Revert "ManagedIdentity I" This reverts commit 6d5c519. * Delete garbage * Fixed Managed Identity tests (#1935) Signed-off-by: Jeff Wasty <[email protected]> # Conflicts: # src/test/java/com/microsoft/sqlserver/jdbc/AlwaysEncrypted/MSITest.java * Managed Identity dev experience improvements #1936 Signed-off-by: Jeff Wasty <[email protected]> * Updates for running tests with managed identity #2416 Signed-off-by: Jeff Wasty <[email protected]> * cleanup Signed-off-by: Jeff Wasty <[email protected]> * Update tests for Kerberos Signed-off-by: Jeff Wasty <[email protected]> * Remove unused test * tsc=true for ae Signed-off-by: Jeff Wasty <[email protected]> * Add tags for testDefaultRetry * Remove unstable test Signed-off-by: Jeff Wasty <[email protected]> * Add throttling error message to tests (#2044) Signed-off-by: Jeff Wasty <[email protected]> * Updated fedauth tests to run on diff test server (#2062) Signed-off-by: Jeff Wasty <[email protected]> * Update fedauth tests to use cached tokens and retry if throttled (#2077) Signed-off-by: Jeff Wasty <[email protected]> * Add back missing import Signed-off-by: Jeff Wasty <[email protected]> * Resolve static issue with IOBuffer Signed-off-by: Jeff Wasty <[email protected]> * Add back a missing import * Fixed TestUtils * Remove mistakenly added code * Cleanup * Cleanup testutils * More cleanup * Add more time for 'testDefaultRetry' & Fix tests for testing encrypt options (#2215) * Update setAEConnectionString * Updated fedauth error tests (#2538) Signed-off-by: Jeff Wasty <[email protected]> # Conflicts: # src/test/java/com/microsoft/sqlserver/jdbc/fedauth/ErrorMessageTest.java # src/test/java/com/microsoft/sqlserver/jdbc/fedauth/FedauthCommon.java * Update fedAuth tests * Revert "Updated fedauth error tests (#2538)" This reverts commit dfb4b77. * Revert "Update fedAuth tests" This reverts commit da5c58b. * Added ActiveDirectoryServicePrincipalCertificate for tests * Add 'requireSecret' exclude tag for tests which require adding a secret to app registration * Version update * Add connection retry changes from 2513 to ensure existing timing tests pass * Adjust timings on tests as the fix requires code changes we should not incorporate for this release * Changelog * Update dependency versions --------- Signed-off-by: Jeff Wasty <[email protected]> Co-authored-by: lilgreenbird <[email protected]> Co-authored-by: Terry Chow <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR Resolves the following:
Deprecated the following:
New authentication property values:
authentication=ActiveDirectoryManagedIdentityauthentication=DefaultAzureCredentialauthentication=ActiveDirectoryDefaultNew environment variables:
INTELLIJ_KEEPASS_PATHADDITIONALLY_ALLOWED_TENANTS(comma delimited list of additionally allowed tenant IDs, used withDefaultAzureCredential)To use the IntellijCredential with the driver, supply the connection string property
authentication=DefaultAzureCredentialand set theINTELLIJ_KEEPASS_PATHenvironment variable to the path of the keepass database.