Skip to content

Commit a40e1f2

Browse files
shane-bordenShane Bordencofin
authored
fix(mssql): Azure user permission fix (#476)
* Fix: Update user logic for Azure SQL DB * Fix: Syntax error for SUBSTRING directive * fix: missing input variable for AZURE SQL Database * Update scripts/collector/sqlserver/createUserWithSQLAuth.ps1 Co-authored-by: Cody Fincher <[email protected]> Signed-off-by: Shane Borden <[email protected]> --------- Signed-off-by: Shane Borden <[email protected]> Co-authored-by: Shane Borden <[email protected]> Co-authored-by: Cody Fincher <[email protected]>
1 parent f0a2bc4 commit a40e1f2

File tree

3 files changed

+80
-47
lines changed

3 files changed

+80
-47
lines changed

scripts/collector/sqlserver/createUserWithSQLAuth.ps1

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -94,7 +94,7 @@ if (([string]::IsNullorEmpty($port)) -or ($port -eq "default")) {
9494

9595
### If Azure, need to get a list of databases from master and log in to each individually to create the user
9696
if ($isCloudOrLinuxHost -eq "AZURE") {
97-
$dbNameArray = @(sqlcmd -S $serverName -i sql\getDBList.sql -d master -U $collectionUserName -P $collectionUserPass -C -l 30 -W -m 1 -u -h-1 -w 32768 -v database="all")
97+
$dbNameArray = @(sqlcmd -S $serverName -i sql\getDBList.sql -d master -U $collectionUserName -P $collectionUserPass -C -l 30 -W -m 1 -u -h-1 -w 32768 -v database="all" -v hasdbaccess=1)
9898
foreach ($databaseName in $dbNameArray) {
9999
WriteLog -logMessage "Adding collection user into the following databases:" -logOperation "MESSAGE"
100100
WriteLog -logMessage " $databaseName" -logOperation "MESSAGE"
@@ -111,9 +111,9 @@ else {
111111

112112
### If Azure, need to get a list of databases from master and log in to each individually to create the user
113113
if ($isCloudOrLinuxHost -eq "AZURE") {
114-
$dbNameArray = @(sqlcmd -S $serverName -i sql\getDBList.sql -d master -U $collectionUserName -P $collectionUserPass -C -l 30 -W -m 1 -u -h-1 -w 32768 -v database="all")
114+
$dbNameArray = @(sqlcmd -S $serverName -i sql\getDBList.sql -d master -U $collectionUserName -P $collectionUserPass -C -l 30 -W -m 1 -u -h-1 -w 32768 -v database="all" -v hasdbaccess=1)
115115
foreach ($databaseName in $dbNameArray) {
116-
WriteLog -logMessage "Adding collection user into the following databases:" -logOperation "MESSAGE"
116+
WriteLog -logMessage "Adding Azure collection user into the following databases:" -logOperation "MESSAGE"
117117
WriteLog -logMessage " $databaseName" -logOperation "MESSAGE"
118118
}
119119
foreach ($databaseName in $dbNameArray) {

scripts/collector/sqlserver/sql/addCollectionUserToDatabase.sql

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -31,9 +31,20 @@ SELECT @CLOUDTYPE = 'NONE';
3131
IF UPPER(@@VERSION) LIKE '%AZURE%'
3232
SELECT @CLOUDTYPE = 'AZURE'
3333

34+
IF @CLOUDTYPE = 'AZURE'
3435
BEGIN
35-
IF @CLOUDTYPE = 'AZURE'
36-
BEGIN
37-
exec ('CREATE USER [' + @COLLECTION_USER + '] FROM LOGIN [' + @COLLECTION_USER + '] WITH DEFAULT_SCHEMA=dbo');
38-
END;
36+
BEGIN TRY
37+
exec ('CREATE USER [' + @COLLECTION_USER + '] FROM LOGIN [' + @COLLECTION_USER + '] WITH DEFAULT_SCHEMA=dbo');
38+
END TRY
39+
BEGIN CATCH
40+
SELECT
41+
host_name() as host_name,
42+
db_name() as database_name,
43+
'Execute Create User in ' + DB_NAME() + ' DB' as module_name,
44+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_LINE()),1,254) as error_line,
45+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
46+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
47+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
48+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
49+
END CATCH
3950
END;

scripts/collector/sqlserver/sql/createCollectionUser.sql

Lines changed: 62 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ DECLARE @COLLECTION_PASS VARCHAR(256);
2424
DECLARE @PRODUCT_VERSION AS INTEGER;
2525
DECLARE @CLOUDTYPE AS VARCHAR(256);
2626

27-
DECLARE db_cursor CURSOR FOR
27+
DECLARE db_cursor CURSOR LOCAL FOR
2828
SELECT name
2929
FROM sys.databases
3030
WHERE name NOT IN ('model','msdb','tempdb','distribution','reportserver', 'reportservertempdb','resource','rdsadmin')
@@ -40,7 +40,8 @@ IF UPPER(@@VERSION) LIKE '%AZURE%'
4040
SELECT @CLOUDTYPE = 'AZURE'
4141

4242
BEGIN
43-
IF NOT EXISTS (SELECT name FROM master.sys.server_principals WHERE name = @COLLECTION_USER)
43+
IF DB_NAME() = 'master'
44+
IF NOT EXISTS (SELECT name FROM sys.sql_logins WHERE name = @COLLECTION_USER)
4445
BEGIN TRY
4546
IF @CLOUDTYPE = 'AZURE'
4647
exec ('CREATE LOGIN [' + @COLLECTION_USER + '] WITH PASSWORD=N''' + @COLLECTION_PASS + '''');
@@ -70,41 +71,47 @@ BEGIN
7071
SELECT
7172
host_name() as host_name,
7273
db_name() as database_name,
73-
'Execute Grant in master DB' as module_name,
74+
'Execute SERVER ROLE Grant in ' + DB_NAME() + ' DB' as module_name,
75+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_LINE()),1,254) as error_line,
7476
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
7577
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
7678
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
7779
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
7880
END CATCH
81+
END
82+
BEGIN
7983
IF @CLOUDTYPE <> 'AZURE'
84+
BEGIN
8085
BEGIN TRY
81-
exec ('GRANT VIEW SERVER STATE TO [' + @COLLECTION_USER + ']');
82-
exec ('GRANT VIEW ANY DATABASE TO [' + @COLLECTION_USER + ']');
83-
exec ('GRANT VIEW ANY DEFINITION TO [' + @COLLECTION_USER + ']');
86+
exec ('GRANT VIEW SERVER STATE TO [' + @COLLECTION_USER + ']');
87+
exec ('GRANT VIEW ANY DATABASE TO [' + @COLLECTION_USER + ']');
88+
exec ('GRANT VIEW ANY DEFINITION TO [' + @COLLECTION_USER + ']');
8489
END TRY
8590
BEGIN CATCH
8691
SELECT
87-
host_name() as host_name,
88-
db_name() as database_name,
89-
'Execute Grant in master DB' as module_name,
90-
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
91-
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
92-
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
93-
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
92+
host_name() as host_name,
93+
db_name() as database_name,
94+
'Execute Grant in ' + DB_NAME() + ' DB' as module_name,
95+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_LINE()),1,254) as error_line,
96+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
97+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
98+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
99+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
94100
END CATCH
95101
IF @PRODUCT_VERSION > 11
96102
BEGIN TRY
97103
exec ('GRANT SELECT ALL USER SECURABLES TO [' + @COLLECTION_USER + ']');
98104
END TRY
99105
BEGIN CATCH
100106
SELECT
101-
host_name() as host_name,
102-
db_name() as database_name,
103-
'Execute Grant in master DB' as module_name,
104-
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
105-
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
106-
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
107-
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
107+
host_name() as host_name,
108+
db_name() as database_name,
109+
'Execute USER SECURABLE Grant in ' + DB_NAME() + ' DB' as module_name,
110+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_LINE()),1,254) as error_line,
111+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
112+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
113+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
114+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
108115
END CATCH
109116
IF @PRODUCT_VERSION > 15
110117
BEGIN TRY
@@ -115,24 +122,44 @@ BEGIN
115122
END TRY
116123
BEGIN CATCH
117124
SELECT
125+
host_name() as host_name,
126+
db_name() as database_name,
127+
'Execute VIEW SERVER Grant in ' + DB_NAME() + ' DB' as module_name,
128+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_LINE()),1,254) as error_line,
129+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
130+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
131+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
132+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
133+
END CATCH
134+
END;
135+
END;
136+
137+
IF @CLOUDTYPE = 'AZURE'
138+
BEGIN
139+
IF NOT EXISTS (SELECT name FROM sys.sysusers WHERE name = @COLLECTION_USER)
140+
BEGIN TRY
141+
exec ('CREATE USER [' + @COLLECTION_USER + '] FROM LOGIN [' + @COLLECTION_USER + '] WITH DEFAULT_SCHEMA=dbo');
142+
END TRY
143+
BEGIN CATCH
144+
SELECT
118145
host_name() as host_name,
119146
db_name() as database_name,
120-
'Execute Grant in master DB' as module_name,
147+
'Execute Create User in ' + DB_NAME() + ' DB' as module_name,
148+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_LINE()),1,254) as error_line,
121149
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
122150
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
123151
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
124152
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
125-
END CATCH
153+
END CATCH
126154
END;
127155

128156
IF @CLOUDTYPE <> 'AZURE'
157+
BEGIN
129158
OPEN db_cursor
130159
FETCH NEXT FROM db_cursor INTO @dbname
131-
132160
WHILE @@FETCH_STATUS = 0
133-
BEGIN
134161
BEGIN TRY
135-
exec ('
162+
exec ('
136163
use [' + @dbname + '];
137164
IF NOT EXISTS (SELECT [name]
138165
FROM [sys].[database_principals]
@@ -141,24 +168,19 @@ IF @CLOUDTYPE <> 'AZURE'
141168
CREATE USER [' + @COLLECTION_USER + '] FOR LOGIN [' + @COLLECTION_USER + '];
142169
END;
143170
GRANT VIEW DATABASE STATE TO [' + @COLLECTION_USER + '];');
144-
FETCH NEXT FROM db_cursor INTO @dbname;
145171
END TRY
146172
BEGIN CATCH
147173
SELECT
148-
host_name() as host_name,
149-
@dbname as used_db_name,
150-
db_name() as current_database_name,
151-
'Execute Grant in individual DB' as module_name,
152-
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
153-
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
154-
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
155-
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
174+
host_name() as host_name,
175+
@dbname as used_db_name,
176+
db_name() as current_database_name,
177+
'Execute Grant in ' + DB_NAME() + ' DB' as module_name,
178+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
179+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
180+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
181+
SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
156182
END CATCH
157-
END;
183+
FETCH NEXT FROM db_cursor INTO @dbname;
158184
CLOSE db_cursor
159185
DEALLOCATE db_cursor
160-
161-
IF @CLOUDTYPE = 'AZURE'
162-
BEGIN
163-
exec ('CREATE USER [' + @COLLECTION_USER + '] FROM LOGIN [' + @COLLECTION_USER + '] WITH DEFAULT_SCHEMA=dbo');
164-
END;
186+
END;

0 commit comments

Comments
 (0)