Sqlserver input: require authentication method to be specified (#9388)

2021-07-07 13:09:52 -06:00 · 2021-07-07 13:09:52 -06:00 · 537ac63c68
parent c56a652b4d
commit 537ac63c68
3 changed files with 27 additions and 10 deletions
--- a/plugins/inputs/sqlserver/README.md
+++ b/plugins/inputs/sqlserver/README.md
@ -52,6 +52,10 @@ GO
    "Server=192.168.1.10;Port=1433;User Id=<user>;Password=<pw>;app name=telegraf;log=1;",
  ]

+  ## Authentication method
+  ## valid methods: "connection_string", "AAD"
+  # auth_method = "connection_string"
+
  ## "database_type" enables a specific set of queries depending on the database type. If specified, it replaces azuredb = true/false and query_version = 2
  ## In the config file, the sql server plugin section should be repeated each with a set of servers for a specific database_type.
  ## Possible values for database_type are - "AzureSQLDB" or "AzureSQLManagedInstance" or "SQLServer"
@ -197,11 +201,12 @@ EXECUTE ('GRANT VIEW DATABASE STATE TO [<Monitoring_VM_Name>]')
 - On the SQL Server resource of the database(s) being monitored, go to "Firewalls and Virtual Networks" tab and allowlist the monitoring VM IP address.
 - On the Monitoring VM, update the telegraf config file with the database connection string in the following format. Please note AAD based auth is currently only supported for Azure SQL Database and Azure SQL Managed Instance (but not for SQL Server), as described [here](https://docs.microsoft.com/en-us/azure/azure-sql/database/security-overview#authentication).
 - On the Monitoring VM, update the telegraf config file with the database connection string in the following format.
- On the Monitoring VM, update the telegraf config file with the database connection string in the following format. The connection string only provides the server and database name, but no password (since the VM's system-assigned managed identity would be used for authentication).
+- On the Monitoring VM, update the telegraf config file with the database connection string in the following format. The connection string only provides the server and database name, but no password (since the VM's system-assigned managed identity would be used for authentication). The auth method must be set to "AAD"
 ```toml
  servers = [
    "Server=<Azure_SQL_Server_Name>.database.windows.net;Port=1433;Database=<Azure_SQL_Database_Name>;app name=telegraf;log=1;",
  ]
+  auth_method = "AAD"
 ```
 - Please note AAD based auth is currently only supported for Azure SQL Database and Azure SQL Managed Instance (but not for SQL Server), as described [here](https://docs.microsoft.com/en-us/azure/azure-sql/database/security-overview#authentication).

--- a/plugins/inputs/sqlserver/sqlserver.go
+++ b/plugins/inputs/sqlserver/sqlserver.go
@ -5,7 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"log"
-	"regexp"
+	"strings"
 	"sync"
 	"time"

@ -19,6 +19,7 @@ import (
 // SQLServer struct
 type SQLServer struct {
 	Servers      []string `toml:"servers"`
+	AuthMethod   string   `toml:"auth_method"`
 	QueryVersion int      `toml:"query_version"`
 	AzureDB      bool     `toml:"azuredb"`
 	DatabaseType string   `toml:"database_type"`
@ -80,6 +81,10 @@ servers = [
  "Server=192.168.1.10;Port=1433;User Id=<user>;Password=<pw>;app name=telegraf;log=1;",
 ]

+## Authentication method
+## valid methods: "connection_string", "AAD"
+# auth_method = "connection_string"
+
 ## "database_type" enables a specific set of queries depending on the database type. If specified, it replaces azuredb = true/false and query_version = 2
 ## In the config file, the sql server plugin section should be repeated each with a set of servers for a specific database_type.
 ## Possible values for database_type are - "AzureSQLDB" or "AzureSQLManagedInstance" or "SQLServer"
@ -286,11 +291,11 @@ func (s *SQLServer) Start(acc telegraf.Accumulator) error {
 	for _, serv := range s.Servers {
 		var pool *sql.DB

-		// setup connection based on authentication
-		rx := regexp.MustCompile(`\b(?:(Password=((?:&(?:[a-z]+|#[0-9]+);|[^;]){0,})))\b`)
-
-		// when password is provided in connection string, use SQL auth
-		if rx.MatchString(serv) {
+		switch strings.ToLower(s.AuthMethod) {
+		case "connection_string":
+			// Use the DSN (connection string) directly. In this case,
+			// empty username/password causes use of Windows
+			// integrated authentication.
 			var err error
 			pool, err = sql.Open("mssql", serv)

@ -298,8 +303,8 @@ func (s *SQLServer) Start(acc telegraf.Accumulator) error {
 				acc.AddError(err)
 				continue
 			}
-		} else {
-			// otherwise assume AAD Auth with system-assigned managed identity (MSI)
+		case "aad":
+			// AAD Auth with system-assigned managed identity (MSI)

 			// AAD Auth is only supported for Azure SQL Database or Azure SQL Managed Instance
 			if s.DatabaseType == "SQLServer" {
@ -322,6 +327,8 @@ func (s *SQLServer) Start(acc telegraf.Accumulator) error {
 			}

 			pool = sql.OpenDB(connector)
+		default:
+			return fmt.Errorf("unknown auth method: %v", s.AuthMethod)
 		}

 		s.pools = append(s.pools, pool)
@ -553,6 +560,9 @@ func (s *SQLServer) refreshToken() (*adal.Token, error) {

 func init() {
 	inputs.Add("sqlserver", func() telegraf.Input {
-		return &SQLServer{Servers: []string{defaultServer}}
+		return &SQLServer{
+			Servers:    []string{defaultServer},
+			AuthMethod: "connection_string",
+		}
 	})
 }
--- a/plugins/inputs/sqlserver/sqlserver_test.go
+++ b/plugins/inputs/sqlserver/sqlserver_test.go
@ -191,11 +191,13 @@ func TestSqlServer_HealthMetric(t *testing.T) {
 		Servers:      []string{fakeServer1, fakeServer2},
 		IncludeQuery: []string{"DatabaseSize", "MemoryClerk"},
 		HealthMetric: true,
+		AuthMethod:   "connection_string",
 	}

 	s2 := &SQLServer{
 		Servers:      []string{fakeServer1},
 		IncludeQuery: []string{"DatabaseSize"},
+		AuthMethod:   "connection_string",
 	}

 	// acc1 should have the health metric because it is specified in the config