Azure AD Authentication for Azure Flex Postgres Service
Release notes
TBD
Problem to solve
Microsoft Azure Active Directory (Azure AD) authentication is a mechanism of connecting to Azure Flex Database for PostgreSQL using identities defined in Azure AD.
With Azure AD authentication, customers can manage database user identities and other Microsoft services in a central location, which simplifies permission management and therefore helps companies to adhere to regulations and policies.
- Authentication of users across Azure Services in a uniform way
- Management of password policies and password rotation in a single place
- Multiple forms of authentication supported by Azure Active Directory, which can eliminate the need to store passwords
- Customers can manage database permissions using external (Azure AD) groups.
To serve the needs of very large Enterprise customers, which rely on Azure, the AD authentication service + Azure Postgres Flex Service (the actual database service of Azure for Postgres) to centrally manage all of their access permissions to services, GitLab's Postgres connection handling has to be extended to support the specific mechanism in authenticating, apart from statically set username/password credentials.
Context:
- The initial request to implement this specific Azure AD authentication mechanism, was raised by a very large strategic enterprise customer with 20.000 seats GitLab Ultimate , because their internal policy will require at some point in time that all applications used inside the org, should support this specific authentication mechanism.
- To evaluate / discuss the possible implementation of this specific Azure authentication, this issue should be used to collaborate with the required PM / ENG teams.
- SLACK Ref: https://gitlab.slack.com/archives/CNZ8E900G/p1679582511862679
Proposal
From the Azure documentation, it seems that before a client should connect it will have to generate a access-token which can be used as a password within the connection string for connecting to Azure Flex Server Database.
As the current database connection settings are statically set in the gitlab.rb file, the connection handling of GitLab has to be modified in a way that the statically written password from the gitlab.rb file, gets dynamically generated by GitLab itself.
Therefore GitLab application itself has to request this access token at Azure AD first, and then use it for establishing any psql connection.
The tokens expiration time needs to be considered, as the application would then have to re-generate a new token.
Azure Documentation: https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-azure-ad-authentication
Challenges:
- It seems to be a non-standard way of authenticating against Postgres, which can easily lead to unexpected issues in large scale environments.
- At the moment we don’t have Azure in our merge request pipelines
- Currently, we do not have any other client, requesting that functionality.
Intended users
Feature Usage Metrics
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.