无法使用属于 AD 组的登录名创建数据库范围的凭据
[英]Cannot create database scoped credential with a login that is part of an AD group
问题描述
I'm trying to find the minimum required permission or role that would allow a user that was assigned permissiosn through an AD group in Azure SQL server to create a database scoped credential via the following syntax.
我正在尝试查找允许通过 Azure SQL 服务器中的 AD 组分配权限的用户通过以下语法创建数据库范围凭据的最低必需权限或角色。
CREATE DATABASE SCOPED CREDENTIAL [SomeCredential]
WITH IDENTITY = N'someSqlUser', SECRET='someSqlPassword';
Based on documentation, the following permissions are needed.根据文档,需要以下权限。
GRANT CONTROL ON DATABASE::[MyDatabase] TO [SqlAdminGroup]
The error when someone from that group tries to create a database scoped credential is below:该组中的某人尝试创建数据库范围凭据时的错误如下:
The specified schema name "personInSqlAdminGroup@mytentant.com" either does not exist or you do not have permission to use it.
So what is interesting is that when I try this with a individual SQL login where I specifically gave the login CONTROL permission, it works.所以有趣的是,当我使用单独的 SQL 登录尝试此操作时,我特别授予了登录 CONTROL 权限,它可以工作。 When I try this via granting to an AD group is when I get the specified schema name error.当我通过授予 AD 组尝试此操作时,我收到指定的架构名称错误。 I added the group with a default schema of DBO.我添加了默认架构为 DBO 的组。
I believe there is an issue with an AD group in SQL not having a default schema, so any object creation would need to fully qualify the object with [dbo].[object].我相信 SQL 中的 AD 组存在一个没有默认架构的问题,因此任何对象创建都需要使用 [dbo].[object] 来完全限定对象。 However, database scoped credentials don't seem to want a schema because specified it results in a parsing error.但是,数据库范围的凭据似乎不需要架构,因为指定它会导致解析错误。
CREATE DATABASE SCOPED CREDENTIAL [dbo].[SomeCredential]
WITH IDENTITY = N'someSqlUser', SECRET='someSqlPassword';
So if it doesn't want a schema, why does it complain about the specified schema name of the user not existing?因此,如果它不需要架构,为什么它会抱怨用户的指定架构名称不存在?
1 个解决方案
解决方案1
1 已采纳 2020-08-30 17:28:52
This is a documented issue here Use Azure Active Directory authentication .这是此处使用 Azure Active Directory 身份验证记录的问题。 Quoting the relevant bullet from "Azure AD features and limitations": -引用“Azure AD 功能和限制”中的相关项目符号:-
Azure AD users that are part of a group that has db_owner server role cannot use the CREATE DATABASE SCOPED CREDENTIAL syntax against Azure SQL Database and Azure Synapse.
SQL Error [2760] [S0001]: The specified schema name 'user@mydomain.com' either does not exist or you do not have permission to use it.
Grant the db_owner role directly to the individual Azure AD user to mitigate the CREATE DATABASE SCOPED CREDENTIAL issue.
The db_owner role membership does not match your CONTROL on database scenario exactly, but it looks likely to be the same underlying issue. db_owner 角色成员资格与您对数据库方案的 CONTROL 不完全匹配,但它看起来可能是相同的潜在问题。 I don't have an explanation for this surfacing as the schema error.作为架构错误,我没有对此进行解释。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.