diff --git a/plugins/inputs/sqlserver/README.md b/plugins/inputs/sqlserver/README.md index d5ad22ee7..10f606458 100644 --- a/plugins/inputs/sqlserver/README.md +++ b/plugins/inputs/sqlserver/README.md @@ -52,6 +52,10 @@ GO "Server=192.168.1.10;Port=1433;User Id=;Password=;app name=telegraf;log=1;", ] + ## Authentication method + ## valid methods: "connection_string", "AAD" + # auth_method = "connection_string" + ## "database_type" enables a specific set of queries depending on the database type. If specified, it replaces azuredb = true/false and query_version = 2 ## In the config file, the sql server plugin section should be repeated each with a set of servers for a specific database_type. ## Possible values for database_type are - "AzureSQLDB" or "AzureSQLManagedInstance" or "SQLServer" @@ -197,11 +201,12 @@ EXECUTE ('GRANT VIEW DATABASE STATE TO []') - On the SQL Server resource of the database(s) being monitored, go to "Firewalls and Virtual Networks" tab and allowlist the monitoring VM IP address. - On the Monitoring VM, update the telegraf config file with the database connection string in the following format. Please note AAD based auth is currently only supported for Azure SQL Database and Azure SQL Managed Instance (but not for SQL Server), as described [here](https://docs.microsoft.com/en-us/azure/azure-sql/database/security-overview#authentication). - On the Monitoring VM, update the telegraf config file with the database connection string in the following format. -- On the Monitoring VM, update the telegraf config file with the database connection string in the following format. The connection string only provides the server and database name, but no password (since the VM's system-assigned managed identity would be used for authentication). +- On the Monitoring VM, update the telegraf config file with the database connection string in the following format. The connection string only provides the server and database name, but no password (since the VM's system-assigned managed identity would be used for authentication). The auth method must be set to "AAD" ```toml servers = [ "Server=.database.windows.net;Port=1433;Database=;app name=telegraf;log=1;", ] + auth_method = "AAD" ``` - Please note AAD based auth is currently only supported for Azure SQL Database and Azure SQL Managed Instance (but not for SQL Server), as described [here](https://docs.microsoft.com/en-us/azure/azure-sql/database/security-overview#authentication). diff --git a/plugins/inputs/sqlserver/sqlserver.go b/plugins/inputs/sqlserver/sqlserver.go index 7da1218c0..95f6f9b9a 100644 --- a/plugins/inputs/sqlserver/sqlserver.go +++ b/plugins/inputs/sqlserver/sqlserver.go @@ -5,7 +5,7 @@ import ( "errors" "fmt" "log" - "regexp" + "strings" "sync" "time" @@ -19,6 +19,7 @@ import ( // SQLServer struct type SQLServer struct { Servers []string `toml:"servers"` + AuthMethod string `toml:"auth_method"` QueryVersion int `toml:"query_version"` AzureDB bool `toml:"azuredb"` DatabaseType string `toml:"database_type"` @@ -80,6 +81,10 @@ servers = [ "Server=192.168.1.10;Port=1433;User Id=;Password=;app name=telegraf;log=1;", ] +## Authentication method +## valid methods: "connection_string", "AAD" +# auth_method = "connection_string" + ## "database_type" enables a specific set of queries depending on the database type. If specified, it replaces azuredb = true/false and query_version = 2 ## In the config file, the sql server plugin section should be repeated each with a set of servers for a specific database_type. ## Possible values for database_type are - "AzureSQLDB" or "AzureSQLManagedInstance" or "SQLServer" @@ -286,11 +291,11 @@ func (s *SQLServer) Start(acc telegraf.Accumulator) error { for _, serv := range s.Servers { var pool *sql.DB - // setup connection based on authentication - rx := regexp.MustCompile(`\b(?:(Password=((?:&(?:[a-z]+|#[0-9]+);|[^;]){0,})))\b`) - - // when password is provided in connection string, use SQL auth - if rx.MatchString(serv) { + switch strings.ToLower(s.AuthMethod) { + case "connection_string": + // Use the DSN (connection string) directly. In this case, + // empty username/password causes use of Windows + // integrated authentication. var err error pool, err = sql.Open("mssql", serv) @@ -298,8 +303,8 @@ func (s *SQLServer) Start(acc telegraf.Accumulator) error { acc.AddError(err) continue } - } else { - // otherwise assume AAD Auth with system-assigned managed identity (MSI) + case "aad": + // AAD Auth with system-assigned managed identity (MSI) // AAD Auth is only supported for Azure SQL Database or Azure SQL Managed Instance if s.DatabaseType == "SQLServer" { @@ -322,6 +327,8 @@ func (s *SQLServer) Start(acc telegraf.Accumulator) error { } pool = sql.OpenDB(connector) + default: + return fmt.Errorf("unknown auth method: %v", s.AuthMethod) } s.pools = append(s.pools, pool) @@ -553,6 +560,9 @@ func (s *SQLServer) refreshToken() (*adal.Token, error) { func init() { inputs.Add("sqlserver", func() telegraf.Input { - return &SQLServer{Servers: []string{defaultServer}} + return &SQLServer{ + Servers: []string{defaultServer}, + AuthMethod: "connection_string", + } }) } diff --git a/plugins/inputs/sqlserver/sqlserver_test.go b/plugins/inputs/sqlserver/sqlserver_test.go index 3d1ddd309..a9a022bd2 100644 --- a/plugins/inputs/sqlserver/sqlserver_test.go +++ b/plugins/inputs/sqlserver/sqlserver_test.go @@ -191,11 +191,13 @@ func TestSqlServer_HealthMetric(t *testing.T) { Servers: []string{fakeServer1, fakeServer2}, IncludeQuery: []string{"DatabaseSize", "MemoryClerk"}, HealthMetric: true, + AuthMethod: "connection_string", } s2 := &SQLServer{ Servers: []string{fakeServer1}, IncludeQuery: []string{"DatabaseSize"}, + AuthMethod: "connection_string", } // acc1 should have the health metric because it is specified in the config