I'm actually working on a client's project we are connecting Azure SQL DB via service principal authentication. Our client has given us access to Azure SQL and they have given us the credential for it. so to connect to Azure SQL we're using Microsoft's mssql-django package.
so this is what the DB configurations look like.
DATABASES = {
'default': {
'ENGINE': 'mssql',
'NAME': <db_name>,
'USER': <db_user>,
'PASSWORD': <db_password>,
'HOST': "<url>.database.windows.net",
'PORT': '1433',
'OPTIONS': {
'driver': 'ODBC Driver 17 for SQL Server',
'connection_timeout':60,
'connection_retries':3,
"extra_params": "Authentication=ActiveDirectoryServicePrincipal",
},
}
so when I'm trying to run the migrate command I'm getting the below error
raise MigrationSchemaMissing(
django.db.migrations.exceptions.MigrationSchemaMissing: Unable to create the django_migrations table (('42000', '[42000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]The specified schema name "<db_user>#<azure_tenant_id>" either does not exist or you do not have permission to use it. (2760) (SQLExecDirectW)'))
by looking at the error we can definitely say that either the schema is not created or the DB user that they have given us does not have permission to create the tables in the DB.
can anyone please suggest what could be going wrong, this is definitely not an issue from the Django or from the django-mssql package but an issue from the Azure side. If it's an issue from the Azure side then I can reach out to our client and ask them to fix it from their end. As I do not have much experience with Azure/AzureSQL any advice would really help me.
Thank you in advance.
UPDATE 1:
when I logged into the database and without giving schema when I tried to create tables manually from the SQL server it gave me the permission error. My hunch is that with service principal when I run the migrate command it's not picking the default schema and maybe that's why it could be giving the error.
UPDATE 2
when I logged in through my user account and when I ran the select SCHEMA_NAME() SQL command it gave me the result as null. which means that there is no default schema that has been assigned to my user account. Similarly, I guess the user that the client has given will not have a default schema assigned and maybe that's why when I ran the Django migrate command it was unable to find a schema and gave the error - The specified schema name <db_user>#<azure_tenant_id> either does not exist.
But now my question is as you can see when I ran the Django migrate command, mssql-django with service principal actually looked for the schema db_user>#<azure_tenant_id>, does SQL server support this kind of schema name? Also when i checked the available schemas in the DB I did not see any schema with the name <db_user>#<azure_tenant_id>.
Well, my guess was correct, there was no schema that was assigned to our service principal. I reached out to the infra team of our client and asked them to set dbo as the default schema for the AD group. After setting the dbo as the default schema, I was able to successfully run the initial migration in Django.
Related
I have a SQL database created and I am trying to deploy/move that database to the Azure Cloud by using the Deploy Database to SQL Azure Wizard in SQL Server Management Studio. But I have ran into an error after trying to deploy it. I am using the SQL Authentication to log in with my credentials. I also tried installing the Data Migration Application.
The error is:
TITLE: Microsoft SQL Server Management Studio
One or more unsupported elements were found in the schema used as part of a data package.
Error SQL71624: The permission 'CONNECT' is not valid for the target object 'guest' in Microsoft Azure SQL Database v12.
(Microsoft.SqlServer.Dac)
BUTTONS:
OK
I don't understand what this error means and also I don't understand why this error is happening. I looked on the internet for possible solutions but could not find any information. Please help me.
SQL Azure and regular SQL Server aren't entirely compatible.
One of the things that is enabled on regular SQL Server is the guest login. This login allows connection to instance, with a default database of master. Once connected, the user can switch to a different database (use [thedatabase]) if they have the authority to do so.
But in SQL Azure, you connect directly to a single database, and can't switch databases on the connection. So the guest account has no function.
On your source instance (the one you want to migrate), you can revoke this ability so that the wizard won't try to migrate it. Execute revoke connect from guest on your on premise instance.
I'm using the Telegraf input plugin for SQL Server (https://github.com/influxdata/telegraf/tree/master/plugins/inputs/sqlserver) to gather metrics and report to InfluxDB. It works well for SQL Server, but though it supports Azure SQL Database the documentation is a bit sparse.
The database user should be created like this:
CREATE LOGIN [telegraf] WITH PASSWORD = N'password';
GRANT VIEW SERVER STATE TO [telegraf];
GRANT VIEW ANY DEFINITION TO [telegraf];
That works on SQL Server, but in Azure it fails:
Securable class 'server' not supported in this version of SQL Server.
I wonder what I need to grant instead in order to solve this in the best possible way. We have a large number of databases running on the same server in an elastic pool, so if it is possible I would like to use a single user that logs in to the master and collects metrics for all the databases at once (the way it works with SQL Server). If that is impossible I can configure multiple logins and process one database at a time.
Perhaps I can grant VIEW DEFINITION at the database level, but VIEW SERVER STATE does not seem to be supported at all.
So, how should I configure the SQL Database login(s) for Telegraf with the SQL Server plugin to make it work?
EDIT:
Running as the super user for the server works without errors, but only produces metrics for master and tempdb. I need metrics for the many application databases and they are missing. Plus running as the super user is less than ideal.
Running as the super user for the server but connecting to a specific application database (add database in connection string) crashes with a nil pointer dereference and the log complains about VIEW DATABASE STATE permission denied in database master (the super user has access, but apparently not when connecting to a spefic database).
Granting VIEW DATABASE and VIEW DEFINITION to telegraf in an application database and connecting directly to that database as telegraf crashes with a nil pointer dereference and the log says the connection was closed.
EDIT 2:
Created bug report https://github.com/influxdata/telegraf/issues/4222.
EDIT 3:
As of the latest release the plugin works if the server admin account is used, so the issue has been solved. There is still no way to run with a less privileged account in Azure DB.
The answer:
GRANT VIEW SERVER STATE is not supported in Azure SQL Database.
On SQL Database Premium Tiers requires the VIEW DATABASE STATE
permission in the database. Permissions can not be granted in Master,
but the views can be queried in user databases. On SQL Database
Standard and Basic Tiers requires the SQL Database server admin
account due to security requirements following from multi tenancy of
those tiers.
Reason:
SQL Azure SQL is PaaS solution, therefore the most "server" specific features, DMVs, settings are blocked by purpose
References:
Grant View Server State - is it possible for a none SA user to have in Azure SQL?
SQL Azure VIEW DATABASE STATE permission denied in database 'master'
Possible workaround: (which is, anyway does not work in ewramner case)
CREATE LOGIN [telegraf] WITH PASSWORD = N'password';
USE [yourDB]
GRANT VIEW DEFINITION TO [telegraf];
GRANT VIEW DATABASE STATE TO [telegraf];
Therefore, (IMHO), there is no way to make such application working in SQL Azure without changing application code
II am migrating an existing SQL Server 2014 DB to Azure. Always failing so I ran Data Migration Assistant to Assess the DB compactibility and I get this result.
Cannot still figure out how to solved that.
User: [eAgricDBUser] has an unresolved reference to Login [eAgricDBUser].
The error occurs because it's referring to logins that existed in the source SQL Server instance but not in your target Azure SQL DB instance (logical master).
Suggest you think about how your users should access the database now that it is in Azure SQL DB. Contained users are helpful here as they can be moved around to any server and still function. AD users are even better but you'll need to have your on-premises AD integrated with Azure AD. Both save you lots of headaches with login migrations.
Alternatively, you can create the required logins in master before you run the database migration scripts which contain create user statements. Note that you will be creating them with a new password so you will need to provide that to the users plus you'll need some way for the users to change that to their own password.
We have a windows service that provisions Azure SQL databases for our clients. We are using Microsoft.WindowsAzure.Management.Sql API for this. Our service creates the SQL Server instance and deploys the schema using a DACPAC.
When running recently we received the following warning during the DACPAC deployment step:
Warning - Database 'AG61_xxxxx' on server 'xxxxxx.database.windows.net' is not currently available. Please retry the connection later. If the problem persists, contact customer support, and provide them the session tracing ID of '{xxxxxxxx-C7D7-4504-AF25-4C3AC020BE90}'. (73144)
The problem we have is that this database is now left in an inconsistent state:
It isn't listed in the Azure Portal under databases.
The Azure API doesn't return it in list of databases on the server.
Attempting to recreate the same database on the same server, either via code OR via the Azure Portal, returns
Database 'AG61_xxxxx' already exists. Choose a different database name.
However, I can log into SSMS as the admin user and see the database listed. If I try to delete it I receive the following error:
Failed to connect to server. (Microsoft.SqlServer.Smo)
Additional information:
Database 'AG61_xxxxx' on server 'xxxxxxxxxx' is not currently available. Please retry the connection later. If the problem persists, contact customer support, and provide them the session tracing ID of 'FBE26206-C3B6-4771-B0EF-4BCA9C154F28'. (Microsoft SQL Server, Error: 40613)
According to Microsoft, error 40613 is transiant and should only last a few seconds. We've been unable to do anything with this database for 3 days.
Has anyone else experienced this? I'd like to know if there is something we can do to recover the database on this server such that we don't have to have the client change their connection strings etc.
I'd also like to know if there is anything I could do in future to mitigate this happening again.
I am using Sql server 2008-r2 and connect it using windows authentication.
when i create database then i am getting error
Create database permission denied in database Master
What may be the reason of it and how can it be resolved?
I even forgot the sql server authentication password also to connect it.
Go into the master security settings and try to give your user SA permissions.
It may be that your Windows Authentication has security rights, but not create rights.
If that doesn't work, you might have to install a new instance of SSMS and create a linked server to the data that you need.
PS: This should be a comment, but I can't make comments for another 7 reputation.