Merge pull request #753 from microsoft/psl-fdpobugfix

Prajwal-Microsoft · web-flow · commit 059dfa7b4c2c · 2025-11-20T17:57:00.000+05:30
fix: FDPO Windows SQL Server interactive auth issue
diff --git a/docs/DeploymentGuide.md b/docs/DeploymentGuide.md
@@ -116,7 +116,6 @@ If you're not using one of the above options for opening the project, then you'l
     - [Docker Desktop](https://www.docker.com/products/docker-desktop/)
     - [Git](https://git-scm.com/downloads)
     - [Microsoft ODBC Driver 18 for SQL Server](https://learn.microsoft.com/en-us/sql/connect/odbc/download-odbc-driver-for-sql-server?view=sql-server-ver16)
-    - [sqlcmd(ODBC-Windows)](https://learn.microsoft.com/en-us/sql/tools/sqlcmd/sqlcmd-utility?view=sql-server-ver16&tabs=odbc%2Cwindows%2Cwindows-support&pivots=cs1-bash#download-and-install-sqlcmd) / [sqlcmd(Linux/Mac)](https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-setup-tools?view=sql-server-ver16&tabs=redhat-install)
 
 2. Clone the repository or download the project code via command-line:
 
diff --git a/infra/scripts/index_scripts/assign_sql_roles.py b/infra/scripts/index_scripts/assign_sql_roles.py
@@ -0,0 +1,116 @@
+#!/usr/bin/env python3
+"""Assign SQL roles for Azure AD principals (managed identities/service principals) using Azure AD token auth.
+
+Simplified: requires --server and --database provided explicitly (no Key Vault lookup).
+Roles JSON format (single arg):
+[
+    {"clientId":"<guid>", "displayName":"Name", "role":"db_datareader"},
+    {"clientId":"<guid>", "displayName":"Name", "role":"db_datawriter"}
+]
+
+Uses pyodbc + azure-identity (AzureCliCredential)."""
+import argparse
+import json
+import struct
+import sys
+from typing import List, Dict
+
+import pyodbc
+from azure.identity import AzureCliCredential
+
+SQL_COPT_SS_ACCESS_TOKEN = 1256  # msodbcsql.h constant
+
+
+def build_sql(role_items: List[Dict]) -> str:
+    statements = []
+    for idx, item in enumerate(role_items, start=1):
+        client_id = item["clientId"].strip()
+        display_name = item["displayName"].replace("'", "''")
+        role = item["role"].strip()
+        # Construct dynamic SQL similar to prior bash script
+        stmt = f"""
+DECLARE @username{idx} nvarchar(max) = N'{display_name}';
+DECLARE @clientId{idx} uniqueidentifier = '{client_id}';
+DECLARE @sid{idx} NVARCHAR(max) = CONVERT(VARCHAR(max), CONVERT(VARBINARY(16), @clientId{idx}), 1);
+DECLARE @cmd{idx} NVARCHAR(max) = N'CREATE USER [' + @username{idx} + '] WITH SID = ' + @sid{idx} + ', TYPE = E;';
+IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = @username{idx})
+BEGIN
+    EXEC(@cmd{idx})
+END
+EXEC sp_addrolemember '{role}', @username{idx};
+""".strip()
+        statements.append(stmt)
+    return "\n".join(statements)
+
+
+def connect_with_token(server: str, database: str, credential: AzureCliCredential):
+    token_bytes = credential.get_token("https://database.windows.net/.default").token.encode("utf-16-le")
+    token_struct = struct.pack(f"<I{len(token_bytes)}s", len(token_bytes), token_bytes)
+    for driver in ["{ODBC Driver 18 for SQL Server}", "{ODBC Driver 17 for SQL Server}"]:
+        try:
+            conn_str = f"DRIVER={driver};SERVER={server};DATABASE={database};"
+            return pyodbc.connect(conn_str, attrs_before={SQL_COPT_SS_ACCESS_TOKEN: token_struct})
+        except pyodbc.Error:
+            continue
+    raise RuntimeError("Unable to connect using ODBC Driver 18 or 17. Install driver msodbcsql17/18.")
+
+
+def execute_sql(conn, sql: str):
+    cursor = conn.cursor()
+    # Split on GO batches if present (simple handling)
+    batches = []
+    current = []
+    for line in sql.splitlines():
+        if line.strip().upper() == "GO":
+            if current:
+                batches.append("\n".join(current))
+                current = []
+        else:
+            current.append(line)
+    if current:
+        batches.append("\n".join(current))
+
+    for batch in batches:
+        if batch.strip():
+            cursor.execute(batch)
+    conn.commit()
+    cursor.close()
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Assign SQL roles for Azure AD principals.")
+    parser.add_argument("--server", required=True, help="SQL server FQDN (e.g. myserver.database.windows.net)")
+    parser.add_argument("--database", required=True, help="Database name")
+    parser.add_argument("--roles-json", required=True, help="JSON array of role assignment objects")
+    args = parser.parse_args()
+
+    try:
+        role_items = json.loads(args.roles_json)
+        if not isinstance(role_items, list):
+            raise ValueError("roles-json must be a JSON array")
+    except (json.JSONDecodeError, ValueError, KeyError) as e:
+        print(f"Error parsing roles-json: {e}", file=sys.stderr)
+        return 1
+
+    credential = AzureCliCredential()
+
+    try:
+        server, database = args.server, args.database
+        print(f"Target SQL: {server} / {database}")
+        sql = build_sql(role_items)
+        conn = connect_with_token(server, database, credential)
+        print("Connected. Assigning roles...")
+        execute_sql(conn, sql)
+        conn.close()
+        print("Role assignment completed successfully.")
+        return 0
+    except pyodbc.Error as e:
+        print(f"Database error during role assignment: {e}", file=sys.stderr)
+        return 1
+    except (RuntimeError, OSError) as e:
+        print(f"Environment error during role assignment: {e}", file=sys.stderr)
+        return 1
+
+
+if __name__ == "__main__":
+    sys.exit(main())
diff --git a/infra/scripts/process_sample_data.sh b/infra/scripts/process_sample_data.sh
@@ -617,24 +617,15 @@ echo "copy_kb_files.sh completed successfully."
 
 # Call run_create_index_scripts.sh
 echo "Running run_create_index_scripts.sh"
-bash infra/scripts/run_create_index_scripts.sh "$keyvaultName" "" "" "$resourceGroupName" "$sqlServerName" "$aiSearchName" "$aif_resource_id"
+# Pass SQL managed identity client id and display name so index script can perform role assignment centrally
+bash infra/scripts/run_create_index_scripts.sh "$keyvaultName" "" "" "$resourceGroupName" "$sqlServerName" "$aiSearchName" "$aif_resource_id" "$SqlDatabaseName" "$sqlManagedIdentityDisplayName" "$sqlManagedIdentityClientId"
 if [ $? -ne 0 ]; then
 	echo "Error: run_create_index_scripts.sh failed."
 	exit 1
 fi
 echo "run_create_index_scripts.sh completed successfully."
 
-# Call create_sql_user_and_role.sh
-echo "Running create_sql_user_and_role.sh"
-bash infra/scripts/add_user_scripts/create_sql_user_and_role.sh "$sqlServerName.database.windows.net" "$SqlDatabaseName" '[
-	{"clientId":"'"$sqlManagedIdentityClientId"'", "displayName":"'"$sqlManagedIdentityDisplayName"'", "role":"db_datareader"},
-	{"clientId":"'"$sqlManagedIdentityClientId"'", "displayName":"'"$sqlManagedIdentityDisplayName"'", "role":"db_datawriter"}
-]'
-if [ $? -ne 0 ]; then
-	echo "Error: create_sql_user_and_role.sh failed."
-	exit 1
-fi
-echo "create_sql_user_and_role.sh completed successfully."
+## SQL role assignment now centralized in run_create_index_scripts.sh; removed local duplicate block.
 
 echo "All scripts executed successfully."
 echo "Network access will be restored to original settings..."
diff --git a/infra/scripts/run_create_index_scripts.sh b/infra/scripts/run_create_index_scripts.sh
@@ -8,6 +8,9 @@ resourceGroupName="$4"
 sqlServerName="$5"
 aiSearchName="$6"
 aif_resource_id="$7"
+sqlDatabaseName="$8"
+sqlManagedIdentityDisplayName="${9}"
+sqlManagedIdentityClientId="${10}"
 
 echo "Script Started"
 
@@ -147,9 +150,10 @@ if [ -n "$baseUrl" ] && [ -n "$managedIdentityClientId" ]; then
     requirementFile="requirements.txt"
     requirementFileUrl=${baseUrl}${pythonScriptPath}"requirements.txt"
 
-    # Download the create_index and create table python files
+    # Download the create_index, create table, assign_sql_roles python files
     curl --output "create_search_index.py" ${baseUrl}${pythonScriptPath}"create_search_index.py"
     curl --output "create_sql_tables.py" ${baseUrl}${pythonScriptPath}"create_sql_tables.py"
+    curl --output "assign_sql_roles.py" ${baseUrl}${pythonScriptPath}"assign_sql_roles.py"
 
     # Download the requirement file
     curl --output "$requirementFile" "$requirementFileUrl"
@@ -220,6 +224,28 @@ if [ $? -ne 0 ]; then
     error_flag=true
 fi
 
+# Assign SQL roles to managed identity using Python (pyodbc + azure-identity)
+if [ -n "$sqlManagedIdentityClientId" ] && [ -n "$sqlManagedIdentityDisplayName" ] && [ -n "$sqlDatabaseName" ]; then
+    mi_display_name="$sqlManagedIdentityDisplayName"
+    server_fqdn="$sqlServerName.database.windows.net"
+    roles_json="[{\"clientId\":\"$sqlManagedIdentityClientId\",\"displayName\":\"$mi_display_name\",\"role\":\"db_datareader\"},{\"clientId\":\"$sqlManagedIdentityClientId\",\"displayName\":\"$mi_display_name\",\"role\":\"db_datawriter\"}]"
+    echo "[RoleAssign] Invoking assign_sql_roles.py for roles: db_datareader, db_datawriter"
+
+    role_script_path="${pythonScriptPath}assign_sql_roles.py"
+    if [ -z "$pythonScriptPath" ]; then
+        role_script_path="./assign_sql_roles.py"
+    fi
+    python "$role_script_path" --server "$server_fqdn" --database "$sqlDatabaseName" --roles-json "$roles_json"
+    if [ $? -ne 0 ]; then
+        echo "[RoleAssign] Warning: SQL role assignment failed."
+        error_flag=true
+    else
+        echo "[RoleAssign] SQL roles assignment completed successfully."
+    fi
+else
+    echo "[RoleAssign] Skipped SQL role assignment due to missing required values (sqlManagedIdentityClientId, sqlManagedIdentityDisplayName, sqlDatabaseName)."
+fi
+
 # revert the key vault name and managed identity client id in the python files
 sed -i "s/${keyvaultName}/kv_to-be-replaced/g" ${pythonScriptPath}"create_search_index.py"
 sed -i "s/${keyvaultName}/kv_to-be-replaced/g" ${pythonScriptPath}"create_sql_tables.py"
