[英]Azure AD for authentication with Data Warehouse
I'm trying to set up an authentication using Azure AD to login to DWH. 我正在尝试使用Azure AD设置身份验证以登录到DWH。
Let's say i have an directory called target.onmicrosoft.com 假设我有一个名为target.onmicrosoft.com的目录
I have 2 external user who was already invited to this directory (user1@gmail.com, user2@gmail.com) 我有2位外部用户已经受邀到此目录(user1 @ gmail.com,user2 @ gmail.com)
For user1@gmail.com, i gave him Owner permission on subscription scope using RBAC. 对于user1@gmail.com,我使用RBAC授予了他对订阅范围的所有者权限。
For user2@gmail.com, i only gave Reader permission on subscription scope using RBAC. 对于user2@gmail.com,我仅使用RBAC授予了读者对订阅范围的权限。
From DWH AD admin portal, i set user1@gmail.com as admin. 从DWH AD管理门户,我将user1@gmail.com设置为admin。 In other words, Active Directory admin of DWH is user1@gmail.com
换句话说,DWH的Active Directory管理员为user1@gmail.com
Also, the real administrator user of DWH is another user, let's call it topmanager . 同样,DWH的真正管理员用户是另一个用户,我们称其为topmanager 。
First of all, i login to DWH using topmanager and tried to create AAD user CREATE USER [user2@gmail.com] FROM EXTERNAL PROVIDER; 首先,我使用topmanager登录到DWH,并尝试从外部提供者创建AAD用户CREATE USER [user2@gmail.com];
But it said: Only connections established with Active Directory accounts can create other Active Directory users. 但它说:只有使用Active Directory帐户建立的连接才能创建其他Active Directory用户。
So i had to login using user1@gmail.com credential (since user1 already added as AAD admin). 所以我不得不使用user1@gmail.com凭据登录(因为user1已经添加为AAD管理员)。 Also I couldn't login with user2 credential.
另外,我无法使用user2凭据登录。
Now i executed the same query 现在我执行相同的查询
CREATE USER [user1@gmail.com] FROM EXTERNAL PROVIDER; 从外部提供商创建用户[user1@gmail.com];
And got error: Principal 'user1@gmail.com' could not be found or this principal type is not supported. 并得到错误:找不到主体'user1@gmail.com'或不支持此主体类型。
My final intention is to give user1 full permission on DWH and schema-based full permission for user2. 我的最终目的是为用户1授予DWH的完全权限,并为用户2提供基于架构的完全权限。
Use GRANT permissions within the data warehouse. 在数据仓库内使用GRANT权限。 Here's a good overview:
这是一个很好的概述:
https://docs.microsoft.com/en-us/sql/t-sql/statements/permissions-grant-deny-revoke-azure-sql-data-warehouse-parallel-data-warehouse?view=aps-pdw-2016-au7 https://docs.microsoft.com/zh-cn/sql/t-sql/statements/permissions-grant-deny-revoke-azure-sql-data-warehouse-parallel-data-warehouse?view=aps-pdw- 2016年8月
This example does exactly what you ask: 此示例完全符合您的要求:
https://docs.microsoft.com/en-us/sql/t-sql/statements/permissions-grant-deny-revoke-azure-sql-data-warehouse-parallel-data-warehouse?view=aps-pdw-2016-au7#d-granting-denying-and-revoking-a-schema-permission https://docs.microsoft.com/zh-cn/sql/t-sql/statements/permissions-grant-deny-revoke-azure-sql-data-warehouse-parallel-data-warehouse?view=aps-pdw- 2016-au7#d授予拒绝和撤消架构许可
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.