upgrade mysql flexible-server for passwordless

Author: Netyyyy

articles/mysql/flexible-server/connect-java.md

@@ -17,6 +17,14 @@ ms.date: 01/16/2021
 
 This topic demonstrates creating a sample application that uses Java and [JDBC](https://en.wikipedia.org/wiki/Java_Database_Connectivity) to store and retrieve information in [Azure Database for MySQL Flexible Server](./index.yml).
 
+JDBC is the standard Java API to connect to traditional relational databases.
+
+In this article, we'll include two authentication methods: Azure Active Directory (Azure AD) authentication and MySQL authentication. The **Passwordless** tab shows the Azure AD authentication and the **Password** tab shows the MySQL authentication.
+
+Azure AD authentication is a mechanism for connecting to Azure Database for MySQL using identities defined in Azure AD. With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management.
+
+MySQL authentication uses accounts stored in MySQL. If you choose to use passwords as credentials for the accounts, these credentials will be stored in the `user` table. Because these passwords are stored in MySQL, you'll need to manage the rotation of the passwords by yourself.
+
 ## Prerequisites
 
 - An Azure account with an active subscription. 
@@ -32,67 +40,286 @@ We are going to use environment variables to limit typing mistakes, and to make
 
 Set up those environment variables by using the following commands:
 
+### [Passwordless (Recommended)](#tab/passwordless)
+
+```bash
+export AZ_RESOURCE_GROUP=database-workshop
+export AZ_DATABASE_NAME=<YOUR_DATABASE_NAME>
+export AZ_LOCATION=<YOUR_AZURE_REGION>
+export AZ_MYSQL_AD_NON_ADMIN_USERNAME=demo-non-admin
+export AZ_USER_IDENTITY_NAME=<YOUR_USER_ASSIGNED_MANAGEMED_IDENTITY_NAME>
+export CURRENT_USERNAME=$(az ad signed-in-user show --query userPrincipalName -o tsv)
+export CURRENT_USER_OBJECTID=$(az ad signed-in-user show --query id -o tsv)
+```
+
+Replace the placeholders with the following values, which are used throughout this article:
+
+- `<YOUR_DATABASE_NAME>`: The name of your MySQL server. It should be unique across Azure.
+- `<YOUR_AZURE_REGION>`: The Azure region you'll use. You can use `eastus` by default, but we recommend that you configure a region closer to where you live. You can see the full list of available regions by entering `az account list-locations`.
+- `<YOUR_USER_ASSIGNED_MANAGEMED_IDENTITY_NAME>`: The name of your user assigned managed identity server. It should be unique across Azure.
+
+### [Password](#tab/password)
+
 ```bash
-AZ_RESOURCE_GROUP=database-workshop
-AZ_DATABASE_NAME= flexibleserverdb
-AZ_LOCATION=<YOUR_AZURE_REGION>
-AZ_MYSQL_USERNAME=demo
-AZ_MYSQL_PASSWORD=<YOUR_MYSQL_PASSWORD>
-AZ_LOCAL_IP_ADDRESS=<YOUR_LOCAL_IP_ADDRESS>
+export AZ_RESOURCE_GROUP=database-workshop
+export AZ_DATABASE_NAME=<YOUR_DATABASE_NAME>
+export AZ_LOCATION=<YOUR_AZURE_REGION>
+export AZ_MYSQL_ADMIN_USERNAME=demo
+export AZ_MYSQL_ADMIN_PASSWORD=<YOUR_MYSQL_ADMIN_PASSWORD>
+export AZ_MYSQL_NON_ADMIN_USERNAME=demo-non-admin
+export AZ_MYSQL_NON_ADMIN_PASSWORD=<YOUR_MYSQL_NON_ADMIN_PASSWORD>
 ```
 
 Replace the placeholders with the following values, which are used throughout this article:
 
 - `<YOUR_DATABASE_NAME>`: The name of your MySQL server. It should be unique across Azure.
 - `<YOUR_AZURE_REGION>`: The Azure region you'll use. You can use `eastus` by default, but we recommend that you configure a region closer to where you live. You can have the full list of available regions by entering `az account list-locations`.
-- `<YOUR_MYSQL_PASSWORD>`: The password of your MySQL database server. That password should have a minimum of eight characters. The characters should be from three of the following categories: English uppercase letters, English lowercase letters, numbers (0-9), and non-alphanumeric characters (!, $, #, %, and so on).
-- `<YOUR_LOCAL_IP_ADDRESS>`: The IP address of your local computer, from which you'll run your Java application. One convenient way to find it is to point your browser to [whatismyip.akamai.com](http://whatismyip.akamai.com/).
+- `<YOUR_MYSQL_ADMIN_PASSWORD>` and `<YOUR_MYSQL_NON_ADMIN_PASSWORD>`: The password of your MySQL database server. That password should have a minimum of eight characters. The characters should be from three of the following categories: English uppercase letters, English lowercase letters, numbers (0-9), and non-alphanumeric characters (!, $, #, %, and so on).
+
+---
 
 Next, create a resource group:
 
 ```azurecli
 az group create \
     --name $AZ_RESOURCE_GROUP \
     --location $AZ_LOCATION \
-    | jq
+    --output tsv
 ```
 
-> [!NOTE]
-> We use the `jq` utility, which is installed by default on [Azure Cloud Shell](https://shell.azure.com/) to display JSON data and make it more readable.
-> If you don't like that utility, you can safely remove the `| jq` part of all the commands we'll use.
-
 ## Create an Azure Database for MySQL instance
 
+### Create a MySQL server and set up admin user
+
 The first thing we'll create is a managed MySQL server.
 
 > [!NOTE]
 > You can read more detailed information about creating MySQL servers in [Create an Azure Database for MySQL server by using the Azure portal](./quickstart-create-server-portal.md).
 
-In [Azure Cloud Shell](https://shell.azure.com/), run the following script:
+#### [Passwordless connection (Recommended)](#tab/passwordless)
+
+If you're using Azure CLI, run the following command to make sure it has sufficient permission:
+
+```bash
+az login --scope https://graph.microsoft.com/.default
+```
+
+Run the following command to create the server:
 
 ```azurecli
 az mysql flexible-server create \
     --resource-group $AZ_RESOURCE_GROUP \
     --name $AZ_DATABASE_NAME \
     --location $AZ_LOCATION \
-    --sku-name Standard_B1ms \
-    --storage-size 5120 \
-    --admin-user $AZ_MYSQL_USERNAME \
-    --admin-password $AZ_MYSQL_PASSWORD \
-    --public-access $AZ_LOCAL_IP_ADDRESS
-    | jq
+    --yes \
+    --output tsv
+```
+
+Run the following command to create user identity for assigning:
+
+```azurecli
+az identity create \
+	--resource-group $AZ_RESOURCE_GROUP \
+	--name $AZ_USER_IDENTITY_NAME
 ```
 
-Make sure your enter \<YOUR-IP-ADDRESS\> in order to access the server from your local machine. This command creates a Burstable Tier MySQL flexible server suitable for development.
+Run the following command to assign the identity to MySQL server for creating Azure AD admin:
+
+```azurecli
+az mysql flexible-server identity assign \
+	--resource-group $AZ_RESOURCE_GROUP \
+	--server-name $AZ_DATABASE_NAME \
+	--identity $AZ_USER_IDENTITY_NAME
+```
+
+Run the following command to set the Azure AD admin user:
+
+```azurecli
+az mysql flexible-server ad-admin create \
+    --resource-group $AZ_RESOURCE_GROUP \
+    --server-name $AZ_DATABASE_NAME \
+    --display-name $CURRENT_USERNAME \
+    --object-id $CURRENT_USER_OBJECTID \
+    --identity $AZ_USER_IDENTITY_NAME
+```
+
+> [!IMPORTANT]
+> When setting the administrator, a new user is added to the Azure Database for MySQL server with full administrator permissions. Only one Azure AD admin can be created per MySQL server and selection of another one will overwrite the existing Azure AD admin configured for the server.
+
+This command creates a small MySQL server and sets the Active Directory admin to the signed-in user.
+
+#### [Password](#tab/password)
+
+```azurecli
+az mysql flexible-server create \
+    --resource-group $AZ_RESOURCE_GROUP \
+    --name $AZ_DATABASE_NAME \
+    --location $AZ_LOCATION \
+    --admin-user $AZ_MYSQL_ADMIN_USERNAME \
+    --admin-password $AZ_MYSQL_ADMIN_PASSWORD \
+    --yes \
+    --output tsv
+```
+
+This command creates a small MySQL server.
+
+---
 
 The MySQL server that you created has a empty database called **flexibleserverdb**. We will use this database for this article.
 
 [Having any issues? Let us know.](https://github.com/MicrosoftDocs/azure-docs/issues)
 
+### Configure a firewall rule for your MySQL server
+
+Azure Database for MySQL instances are secured by default. They have a firewall that doesn't allow any incoming connection.
+
+You can skip this step if you are using bash, because the `flexible-server create` command already detected your local IP address and set it on MySQL server.
+
+But if you're connecting to your MySQL server from WSL on a Windows computer, you'll need to add the WSL host ID to your firewall.
+
+Obtain the IP address of your host machine by running the following command in WSL:
+
+```bash
+cat /etc/resolv.conf
+```
+
+Copy the IP address following the term `nameserver`, then use the following command to set an environment variable for the WSL IP Address:
+
+```bash
+AZ_WSL_IP_ADDRESS=<the-copied-IP-address>
+```
+
+Then, use the following command to open the server's firewall to your WSL-based app:
+
+```azurecli
+az mysql flexible-server firewall-rule create \
+    --resource-group $AZ_RESOURCE_GROUP \
+    --name $AZ_DATABASE_NAME \
+    --start-ip-address $AZ_WSL_IP_ADDRESS \
+    --end-ip-address $AZ_WSL_IP_ADDRESS \
+    --rule-name allowiprange \
+    --output tsv
+```
+
+### Configure a MySQL database
+
+Create a new database called `demo` by using the following command:
+
+```azurecli
+az mysql flexible-server db create \
+    --resource-group $AZ_RESOURCE_GROUP \
+    --database-name demo \
+    --server-name $AZ_DATABASE_NAME \
+    --output tsv
+```
+
+### Create a MySQL non-admin user and grant permission
+
+Next, create a non-admin user and grant all permissions on the `demo` database to it.
+
+> [!NOTE]
+> You can read more detailed information about creating MySQL users in [Create users in Azure Database for MySQL](/azure/mysql/single-server/how-to-create-users).
+
+#### [Passwordless connection (Recommended)](#tab/passwordless)
+
+Create a SQL script called *create_ad_user.sql* for creating a non-admin user. Add the following contents and save it locally:
+
+```bash
+export AZ_MYSQL_AD_NON_ADMIN_USERID=$CURRENT_USER_OBJECTID
+
+cat << EOF > create_ad_user.sql
+SET aad_auth_validate_oids_in_tenant = OFF;
+
+CREATE AADUSER '$AZ_MYSQL_AD_NON_ADMIN_USERNAME' IDENTIFIED BY '$AZ_MYSQL_AD_NON_ADMIN_USERID';
+
+GRANT ALL PRIVILEGES ON demo.* TO '$AZ_MYSQL_AD_NON_ADMIN_USERNAME'@'%';
+
+FLUSH privileges;
+
+EOF
+```
+
+Then, use the following command to run the SQL script to create the Azure AD non-admin user:
+
+```bash
+mysql -h $AZ_DATABASE_NAME.mysql.database.azure.com --user $CURRENT_USERNAME --enable-cleartext-plugin --password=$(az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken) < create_ad_user.sql
+```
+
+Now use the following command to remove the temporary SQL script file:
+
+```bash
+rm create_ad_user.sql
+```
+
+#### [Password](#tab/password)
+
+Create a SQL script called *create_user.sql* for creating a non-admin user. Add the following contents and save it locally:
+
+```bash
+cat << EOF > create_user.sql
+
+CREATE USER '$AZ_MYSQL_NON_ADMIN_USERNAME'@'%' IDENTIFIED BY '$AZ_MYSQL_NON_ADMIN_PASSWORD';
+
+GRANT ALL PRIVILEGES ON demo.* TO '$AZ_MYSQL_NON_ADMIN_USERNAME'@'%';
+
+FLUSH PRIVILEGES;
+
+EOF
+```
+
+Then, use the following command to run the SQL script to create the Azure AD non-admin user:
+
+```bash
+mysql -h $AZ_DATABASE_NAME.mysql.database.azure.com --user $AZ_MYSQL_ADMIN_USERNAME --enable-cleartext-plugin --password=$AZ_MYSQL_ADMIN_PASSWORD < create_user.sql
+```
+
+Now use the following command to remove the temporary SQL script file:
+
+```bash
+rm create_user.sql
+```
+
+---
+
 ### Create a new Java project
 
 Using your favorite IDE, create a new Java project, and add a `pom.xml` file in its root directory:
 
+#### [Passwordless connection (Recommended)](#tab/passwordless)
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>com.example</groupId>
+    <artifactId>demo</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+    <name>demo</name>
+
+    <properties>
+        <java.version>1.8</java.version>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>mysql</groupId>
+            <artifactId>mysql-connector-java</artifactId>
+            <version>8.0.30</version>
+        </dependency>
+        <dependency>
+            <groupId>com.azure</groupId>
+            <artifactId>azure-identity-providers-jdbc-mysql</artifactId>
+            <version>1.0.0-beta.1</version>
+        </dependency>
+    </dependencies>
+</project>
+```
+
+#### [Password](#tab/password)
+
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -113,29 +340,47 @@ Using your favorite IDE, create a new Java project, and add a `pom.xml` file in
         <dependency>
             <groupId>mysql</groupId>
             <artifactId>mysql-connector-java</artifactId>
-            <version>8.0.20</version>
+            <version>8.0.30</version>
         </dependency>
     </dependencies>
 </project>
 ```
 
+---
+
 This file is an [Apache Maven](https://maven.apache.org/) that configures our project to use:
 
 - Java 8
 - A recent MySQL driver for Java
 
 ### Prepare a configuration file to connect to Azure Database for MySQL
 
-Create a *src/main/resources/application.properties* file, and add:
+Run the following script in the project root directory to create a *src/main/resources/application.properties* file and add configuration details:
 
-```properties
-url=jdbc:mysql://$AZ_DATABASE_NAME.mysql.database.azure.com:3306/demo?serverTimezone=UTC
-user=demo
-password=$AZ_MYSQL_PASSWORD
+#### [Passwordless connection (Recommended)](#tab/passwordless)
+
+```bash
+mkdir -p src/main/resources && touch src/main/resources/application.properties
+
+cat << EOF > src/main/resources/application.properties
+url=jdbc:mysql://${AZ_DATABASE_NAME}.mysql.database.azure.com:3306/demo?sslMode=REQUIRED&serverTimezone=UTC&defaultAuthenticationPlugin=com.azure.identity.providers.mysql.AzureIdentityMysqlAuthenticationPlugin&authenticationPlugins=com.azure.identity.providers.mysql.AzureIdentityMysqlAuthenticationPlugin
+user=${AZ_MYSQL_AD_NON_ADMIN_USERNAME}
+EOF
 ```
 
-- Replace the two `$AZ_DATABASE_NAME` variables with the value that you configured at the beginning of this article.
-- Replace the `$AZ_MYSQL_PASSWORD` variable with the value that you configured at the beginning of this article.
+#### [Password](#tab/password)
+
+```bash
+mkdir -p src/main/resources && touch src/main/resources/application.properties
+
+cat << EOF > src/main/resources/application.properties
+url=jdbc:mysql://${AZ_DATABASE_NAME}.mysql.database.azure.com:3306/demo?useSSL=true&sslMode=REQUIRED&serverTimezone=UTC
+user=${AZ_MYSQL_NON_ADMIN_USERNAME}
+password=${AZ_MYSQL_NON_ADMIN_PASSWORD}
+EOF
+```
+
+---
 
 > [!NOTE]
 > We append `?serverTimezone=UTC` to the configuration property `url`, to tell the JDBC driver to use the UTC date format (or Coordinated Universal Time) when connecting to the database. Otherwise, our Java server would not use the same date format as the database, which would result in an error.

articles/mysql/single-server/connect-java.md

@@ -233,7 +233,7 @@ EOF
 Then, use the following command to run the SQL script to create the Azure AD non-admin user:
 
 ```bash
-mysql -h $AZ_DATABASE_NAME.mysql.database.azure.com --user $CURRENT_USERNAME@$AZ_DATABASE_NAME --enable-cleartext-plugin --password=`az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken` < create_ad_user.sql
+mysql -h $AZ_DATABASE_NAME.mysql.database.azure.com --user $CURRENT_USERNAME@$AZ_DATABASE_NAME --enable-cleartext-plugin --password=$(az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken) < create_ad_user.sql
 ```
 
 Now use the following command to remove the temporary SQL script file: