fix(mssql): Azure user permission fix (#476)

* Fix: Update user logic for Azure SQL DB * Fix: Syntax error for SUBSTRING directive * fix: missing input variable for AZURE SQL Database * Update scripts/collector/sqlserver/createUserWithSQLAuth.ps1 Co-authored-by: Cody Fincher <[email protected]> Signed-off-by: Shane Borden <[email protected]> --------- Signed-off-by: Shane Borden <[email protected]> Co-authored-by: Shane Borden <[email protected]> Co-authored-by: Cody Fincher <[email protected]>
GoogleCloudPlatform · Jan 16, 2025 · a40e1f2 · a40e1f2
1 parent f0a2bc4
commit a40e1f2
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 47 deletions.
diff --git a/scripts/collector/sqlserver/createUserWithSQLAuth.ps1 b/scripts/collector/sqlserver/createUserWithSQLAuth.ps1
@@ -94,7 +94,7 @@ if (([string]::IsNullorEmpty($port)) -or ($port -eq "default")) {
 
     ### If Azure, need to get a list of databases from master and log in to each individually to create the user
     if ($isCloudOrLinuxHost -eq "AZURE") {
-        $dbNameArray = @(sqlcmd -S $serverName -i sql\getDBList.sql -d master -U $collectionUserName -P $collectionUserPass -C -l 30 -W -m 1 -u -h-1 -w 32768 -v database="all")
+        $dbNameArray = @(sqlcmd -S $serverName -i sql\getDBList.sql -d master -U $collectionUserName -P $collectionUserPass -C -l 30 -W -m 1 -u -h-1 -w 32768 -v database="all" -v hasdbaccess=1)
         foreach ($databaseName in $dbNameArray) {
             WriteLog -logMessage "Adding collection user into the following databases:" -logOperation "MESSAGE"
             WriteLog -logMessage "            $databaseName" -logOperation "MESSAGE"
@@ -111,9 +111,9 @@ else {
 
     ### If Azure, need to get a list of databases from master and log in to each individually to create the user
     if ($isCloudOrLinuxHost -eq "AZURE") {
-        $dbNameArray = @(sqlcmd -S $serverName -i sql\getDBList.sql -d master -U $collectionUserName -P $collectionUserPass -C -l 30 -W -m 1 -u -h-1 -w 32768 -v database="all")
+        $dbNameArray = @(sqlcmd -S $serverName -i sql\getDBList.sql -d master -U $collectionUserName -P $collectionUserPass -C -l 30 -W -m 1 -u -h-1 -w 32768 -v database="all" -v hasdbaccess=1)
         foreach ($databaseName in $dbNameArray) {
-            WriteLog -logMessage "Adding collection user into the following databases:" -logOperation "MESSAGE"
+            WriteLog -logMessage "Adding Azure collection user into the following databases:" -logOperation "MESSAGE"
             WriteLog -logMessage "            $databaseName" -logOperation "MESSAGE"
         }
         foreach ($databaseName in $dbNameArray) {

diff --git a/scripts/collector/sqlserver/sql/addCollectionUserToDatabase.sql b/scripts/collector/sqlserver/sql/addCollectionUserToDatabase.sql
@@ -31,9 +31,20 @@ SELECT @CLOUDTYPE = 'NONE';
 IF UPPER(@@VERSION) LIKE '%AZURE%'
 	SELECT @CLOUDTYPE = 'AZURE'
 
+IF @CLOUDTYPE = 'AZURE'
 BEGIN
-    IF @CLOUDTYPE = 'AZURE'
-    BEGIN
-        exec ('CREATE USER [' + @COLLECTION_USER + '] FROM LOGIN [' + @COLLECTION_USER + '] WITH DEFAULT_SCHEMA=dbo');
-    END;
+	BEGIN TRY
+         exec ('CREATE USER [' + @COLLECTION_USER + '] FROM LOGIN [' + @COLLECTION_USER + '] WITH DEFAULT_SCHEMA=dbo');
+	END TRY
+	BEGIN CATCH
+		SELECT
+			host_name() as host_name,
+			db_name() as database_name,
+			'Execute Create User in ' + DB_NAME() + ' DB' as module_name,
+			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_LINE()),1,254) as error_line,
+			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
+			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
+			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
+			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
+	END CATCH
 END;
diff --git a/scripts/collector/sqlserver/sql/createCollectionUser.sql b/scripts/collector/sqlserver/sql/createCollectionUser.sql
@@ -24,7 +24,7 @@ DECLARE @COLLECTION_PASS VARCHAR(256);
 DECLARE @PRODUCT_VERSION AS INTEGER;
 DECLARE @CLOUDTYPE AS VARCHAR(256);
 
-DECLARE db_cursor CURSOR FOR
+DECLARE db_cursor CURSOR LOCAL FOR
 SELECT name
 FROM sys.databases
 WHERE name NOT IN ('model','msdb','tempdb','distribution','reportserver', 'reportservertempdb','resource','rdsadmin')
@@ -40,7 +40,8 @@ IF UPPER(@@VERSION) LIKE '%AZURE%'
 	SELECT @CLOUDTYPE = 'AZURE'
 
 BEGIN
-IF NOT EXISTS (SELECT name FROM master.sys.server_principals WHERE name = @COLLECTION_USER)
+IF DB_NAME() = 'master'
+  IF NOT EXISTS (SELECT name FROM sys.sql_logins WHERE name = @COLLECTION_USER)
 	BEGIN TRY
     IF @CLOUDTYPE = 'AZURE'
         exec ('CREATE LOGIN [' + @COLLECTION_USER + '] WITH PASSWORD=N''' + @COLLECTION_PASS + '''');
@@ -70,41 +71,47 @@ BEGIN
         SELECT
         host_name() as host_name,
         db_name() as database_name,
-        'Execute Grant in master DB' as module_name,
+        'Execute SERVER ROLE Grant in ' + DB_NAME() + ' DB' as module_name,
+		SUBSTRING(CONVERT(NVARCHAR(255),ERROR_LINE()),1,254) as error_line,
         SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
         SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
         SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
         SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
 	END CATCH
+END
+BEGIN
     IF @CLOUDTYPE <> 'AZURE'
+	BEGIN
 		BEGIN TRY
-        exec ('GRANT VIEW SERVER STATE TO [' + @COLLECTION_USER + ']');
-        exec ('GRANT VIEW ANY DATABASE TO [' + @COLLECTION_USER + ']');
-        exec ('GRANT VIEW ANY DEFINITION TO [' + @COLLECTION_USER + ']');
+        	exec ('GRANT VIEW SERVER STATE TO [' + @COLLECTION_USER + ']');
+        	exec ('GRANT VIEW ANY DATABASE TO [' + @COLLECTION_USER + ']');
+        	exec ('GRANT VIEW ANY DEFINITION TO [' + @COLLECTION_USER + ']');
 		END TRY
 		BEGIN CATCH
 			SELECT
-			host_name() as host_name,
-			db_name() as database_name,
-			'Execute Grant in master DB' as module_name,
-			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
-			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
-			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
-			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
+				host_name() as host_name,
+				db_name() as database_name,
+				'Execute Grant in ' + DB_NAME() + ' DB' as module_name,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_LINE()),1,254) as error_line,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
 		END CATCH
         IF @PRODUCT_VERSION > 11
 		BEGIN TRY
             exec ('GRANT SELECT ALL USER SECURABLES TO [' + @COLLECTION_USER + ']');
 		END TRY
 		BEGIN CATCH
 			SELECT
-			host_name() as host_name,
-			db_name() as database_name,
-			'Execute Grant in master DB' as module_name,
-			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
-			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
-			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
-			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
+				host_name() as host_name,
+				db_name() as database_name,
+				'Execute USER SECURABLE Grant in ' + DB_NAME() + ' DB' as module_name,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_LINE()),1,254) as error_line,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
 		END CATCH
 		IF @PRODUCT_VERSION > 15
 		BEGIN TRY
@@ -115,24 +122,44 @@ BEGIN
 		END TRY
 		BEGIN CATCH
 			SELECT
+				host_name() as host_name,
+				db_name() as database_name,
+				'Execute VIEW SERVER Grant in ' + DB_NAME() + ' DB' as module_name,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_LINE()),1,254) as error_line,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
+		END CATCH
+	END;
+END;
+
+IF @CLOUDTYPE = 'AZURE'
+BEGIN
+  IF NOT EXISTS (SELECT name FROM sys.sysusers WHERE name = @COLLECTION_USER)
+	BEGIN TRY
+		exec ('CREATE USER [' + @COLLECTION_USER + '] FROM LOGIN [' + @COLLECTION_USER + '] WITH DEFAULT_SCHEMA=dbo');
+    END TRY
+    BEGIN CATCH
+		SELECT
 			host_name() as host_name,
 			db_name() as database_name,
-			'Execute Grant in master DB' as module_name,
+			'Execute Create User in ' + DB_NAME() + ' DB' as module_name,
+			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_LINE()),1,254) as error_line,
 			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
 			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
 			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
 			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
-		END CATCH
+    END CATCH
 END;
 
 IF @CLOUDTYPE <> 'AZURE'
+BEGIN
     OPEN db_cursor
     FETCH NEXT FROM db_cursor INTO @dbname
-
     WHILE @@FETCH_STATUS = 0
-	BEGIN
 		BEGIN TRY
-        exec ('
+        	exec ('
             use [' + @dbname + '];
             IF NOT EXISTS (SELECT [name]
             FROM [sys].[database_principals]
@@ -141,24 +168,19 @@ IF @CLOUDTYPE <> 'AZURE'
                 CREATE USER [' + @COLLECTION_USER + '] FOR LOGIN  [' + @COLLECTION_USER + '];
             END;
 			GRANT VIEW DATABASE STATE TO  [' + @COLLECTION_USER + '];');
-		FETCH NEXT FROM db_cursor INTO @dbname;
 		END TRY
 		BEGIN CATCH
 			SELECT
-			host_name() as host_name,
-			@dbname as used_db_name,
-			db_name() as current_database_name,
-			'Execute Grant in individual DB' as module_name,
-			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
-			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
-			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
-			SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
+				host_name() as host_name,
+				@dbname as used_db_name,
+				db_name() as current_database_name,
+				'Execute Grant in ' + DB_NAME() + ' DB' as module_name,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_NUMBER()),1,254) as error_number,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_SEVERITY()),1,254) as error_severity,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_STATE()),1,254) as error_state,
+				SUBSTRING(CONVERT(NVARCHAR(255),ERROR_MESSAGE()),1,512) as error_message;
 		END CATCH
-	END;
+	FETCH NEXT FROM db_cursor INTO @dbname;
 	CLOSE db_cursor
 	DEALLOCATE db_cursor
-
-IF @CLOUDTYPE = 'AZURE'
-BEGIN
-    exec ('CREATE USER [' + @COLLECTION_USER + '] FROM LOGIN [' + @COLLECTION_USER + '] WITH DEFAULT_SCHEMA=dbo');
-END;
+END;