Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RDBMS] az postgres flexible-server create: Bug fix, generating password when password auth is disabled. Support adding admin during create if Microsoft Entra is enabled. #30999

Open
wants to merge 19 commits into
base: dev
Choose a base branch
from
Open

[RDBMS] az postgres flexible-server create: Bug fix, generating password when password auth is disabled. Support adding admin during create if Microsoft Entra is enabled. #30999

wants to merge 19 commits into from
+103 −50

Conversation

nasc17
Copy link
Member

@nasc17 nasc17 commented Mar 10, 2025

Related command
az postgres flexible-server create

Description
Fix when during flexible-server create makes a password when --password-auth Disabled.
Update text that reference active directory auth and change to Microsoft Entra
Add ability to add admin during create if Microsoft Entra is enabled

Testing Guide
az postgres flexible-server create -h

Arguments
    --active-directory-auth      : Whether Microsoft Entra authentication is enabled.  Allowed
                                   values: Disabled, Enabled.  Default: Disabled.
    --address-prefixes           : The IP address prefix to use when creating a new virtual network
                                   in CIDR format. Default value is 10.0.0.0/16.
    --admin-display-name -m      : Display name of the Microsoft Entra administrator user or group.
    --admin-object-id -i         : The unique ID of the Microsoft Entra administrator.
    --admin-type -t              : Type of the Microsoft Entra administrator.  Allowed values:
                                   Group, ServicePrincipal, Unknown, User.

Create a PostgreSQL flexible server with Microsoft Entra auth only and primary administrator
specified.

    # create flexible server with aad only auth and password auth disabled with primary
    administrator specified
    az postgres flexible-server create -g testGroup -n testServer --location testLocation \
      --active-directory-auth Enabled --password-auth Disabled \
      --admin-object-id 00000000-0000-0000-0000-000000000000 --admin-display-name
    john@contoso.com --admin-type User

az postgres flexible-server create -g testGroup -n test-default --location location

Make a note of your password. If you forget, you would have to reset your password with "az postgres flexible-server update -n test-default -g testGroup -p <new-password>".
Try using 'az postgres flexible-server connect' command to test out connection.
{
  "connectionString": "postgresql://bubblypepper8:password@test-default.postgres.database.azure.com/flexibleserverdb?sslmode=require",
  "databaseName": "flexibleserverdb",
  "host": "test-default.postgres.database.azure.com",
  "id": "/subscriptions/subid/resourceGroups/testGroup/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-default",
  "location": "Location",
  "password": "password",
  "resourceGroup": "testGroup",
  "skuname": "Standard_D2s_v3",
  "username": "bubblypepper8",
  "version": "16"
}

az postgres flexible-server create -g testGroup -n test-msentra --location location --create-default-database Disabled --active-directory-auth Enabled

Make a note of your password. If you forget, you would have to reset your password with "az postgres flexible-server update -n test-msentra -g testGroup -p <new-password>".
Try using 'az postgres flexible-server connect' command to test out connection.
{
  "admin": null,
  "connectionString": "postgresql://selfishsalt4:password@test-msentra.postgres.database.azure.com/postgres?sslmode=require",
  "databaseName": "postgres",
  "host": "test-msentra.postgres.database.azure.com",
  "id": "/subscriptions/subid/resourceGroups/testGroup/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-msentra",
  "location": "Location",
  "password": "password",
  "resourceGroup": "testGroup",
  "skuname": "Standard_D2s_v3",
  "username": "selfishsalt4",
  "version": "16"
}

az postgres flexible-server create -g testGroup -n test-msentra-only --location location --create-default-database Disabled --active-directory-auth Enabled --password-auth Disabled

Try using 'az postgres flexible-server connect' command to test out connection.
{
  "admin": null,
  "connectionString": "postgresql://<admin>@test-msentra-only.postgres.database.azure.com/postgres?sslmode=require",
  "databaseName": "postgres",
  "host": "test-msentra-only.postgres.database.azure.com",
  "id": "/subscriptions/subid/resourceGroups/testGroup/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-msentra-only",
  "location": "Location",
  "resourceGroup": "testGroup",
  "skuname": "Standard_D2s_v3",
  "version": "16"
}

az postgres flexible-server create -g testGroup -n test-msentra-admin --location location --create-default-database Disabled --active-directory-auth Enabled --password-auth Disabled --admin-object-id 00000000-0000-0000-0000-000000000000 --admin-display-name john@contoso.com --admin-type User

Creating PostgreSQL Server 'test-msentra-admin' in group 'testGroup'...
Add Microsoft Entra Admin 'john@contoso.com'.
Try using 'az postgres flexible-server connect' command to test out connection.
{
  "admin": "john@contoso.com",
  "connectionString": "postgresql://john@contoso.com@test-msentra-admin.postgres.database.azure.com/postgres?sslmode=require",
  "databaseName": "postgres",
  "host": "test-msentra-admin.postgres.database.azure.com",
  "id": "/subscriptions/subid/resourceGroups/testGroup/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-msentra-admin",
  "location": "Location",
  "resourceGroup": "testGroup",
  "skuname": "Standard_D2s_v3",
  "version": "16"
}

az postgres flexible-server create -g testGroup -n test-msentra-password-admin --location location --create-default-database Disabled --active-directory-auth Enabled --admin-object-id 00000000-0000-0000-0000-000000000000 --admin-display-name john@contoso.com --admin-type User

Creating PostgreSQL Server 'test-msentra-password-admin' in group 'testGroup'...
Add Microsoft Entra Admin 'john@contoso.com'.
Make a note of your password. If you forget, you would have to reset your password with "az postgres flexible-server update -n test-msentra-password-admin -g testGroup -p <new-password>".
Try using 'az postgres flexible-server connect' command to test out connection.
{
  "admin": "john@contoso.com",
  "connectionString": "postgresql://anxiousgranola3:password@test-msentra-password-admin.postgres.database.azure.com/postgres?sslmode=require",
  "databaseName": "postgres",
  "host": "test-msentra-password-admin.postgres.database.azure.com",
  "id": "/subscriptions/subid/resourceGroups/testGroup/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-msentra-password-admin",
  "location": "Location",
  "password": "password",
  "resourceGroup": "testGroup",
  "skuname": "Standard_D2s_v3",
  "username": "anxiousgranola3",
  "version": "16"
}

az postgres flexible-server create -g testGroup -n nasc-test --location location --create-default-database Disabled --admin-object-id 00000000-0000-0000-0000-000000000000 --admin-display-name john@contoso.com --admin-type User
To provide values for --admin-object-id, --admin-display-name, and --admin-type please set --active-directory-auth to "Enabled".

az postgres flexible-server create -g testGroup -n nasc-test7 --location location --create-default-database Disabled --active-directory-auth Enabled --admin-object-id 00000000-0000-0000-0000-000000000000 --admin-display-name john@contoso.com
To add Microsoft Entra admin, please provide values for --admin-object-id, --admin-display-name, and --admin-type.

History Notes
[RDBMS] az postgres flexible-server create: Bug fix, no longer generate password when --password-auth is Disabled. Support adding admin during create if --active-directory-auth is Enabled.

This checklist is used to make sure that common guidelines for a pull request are followed.

@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

Validation for Azure CLI Full Test Starting...

Thanks for your contribution!

@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

Validation for Breaking Change Starting...

Thanks for your contribution!

@yonzhan
Copy link
Collaborator

yonzhan commented Mar 10, 2025

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions GitHub Actions
Copy link

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

@nasc17 nasc17 requested a review from mattboentoro March 10, 2025 22:09
@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Mar 10, 2025
@nasc17
Copy link
Member Author

nasc17 commented Mar 11, 2025

@evelyn-ys can you please trigger checks

nachoalonsoportillo
nachoalonsoportillo suggested changes Mar 11, 2025
View reviewed changes
src/azure-cli/azure/cli/command_modules/rdbms/flexible_server_custom_postgres.py
@@ -132,7 +136,10 @@ def flexible_server_create(cmd, client,
high_availability = postgresql_flexibleservers.models.HighAvailability(mode=high_availability,
standby_availability_zone=standby_availability_zone)

administrator_login_password = generate_password(administrator_login_password)
is_password_auth_enabled = bool(password_auth is not None and password_auth.lower() == 'enabled')
Copy link
Contributor

@nachoalonsoportillo nachoalonsoportillo Mar 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should validate that either or both password-based and Microsoft Entra authentication are enabled, to avoid getting the following error when we hit the create server call below:

Code: InvalidAuthConfigParameterCombinationValue
Message: The provided combination of values for ActiveDirectoryAuthEnabled as false and PasswordAuthEnabled as false is not supported

src/azure-cli/azure/cli/command_modules/rdbms/flexible_server_custom_postgres.py
'host': host,
'database': database,
}
return 'postgresql://{user}@{host}/{database}?sslmode=require'.format(**connection_kwargs)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's turn this postgresql://{user}@{host}/{database}?sslmode=require'.format(**connection_kwargs) into this postgresql://{user}:<access-token>@{host}/{database}?sslmode=require'.format(**connection_kwargs).

Also, user must be percent encoded, because the URI parser in Postgres identifies the first @ as the point at which the user/password part ends and the host begins. So, in a case like postgresql://ialonso@microsoft.com@server.postgres.database.azure.com/database?sslmode=require, the client that attempts to use that connection string would assume that the name of the host is microsoft.com@server.postgres.database.azure.com, which is incorrect. However, if we percent-encode the @ as in postgresql://ialonso%40microsoft.com@server.postgres.database.azure.com/database?sslmode=require, then it would work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nachoalonsoportillo nachoalonsoportillo nachoalonsoportillo requested changes

@evelyn-ys evelyn-ys Awaiting requested review from evelyn-ys evelyn-ys is a code owner

@calvinhzy calvinhzy Awaiting requested review from calvinhzy calvinhzy is a code owner

@mattboentoro mattboentoro Awaiting requested review from mattboentoro

@yonzhan yonzhan Awaiting requested review from yonzhan

At least 1 approving review is required to merge this pull request.

Assignees

@evelyn-ys evelyn-ys

Labels
Auto-Assign Auto assign by bot
Projects
None yet
Milestone
April 2025 (2025-04-01)
Development

Successfully merging this pull request may close these issues.
4 participants
@nasc17 @yonzhan @nachoalonsoportillo @evelyn-ys