Add SqlServer MSI Support

[samfoxcode]

Add the option for MSI Auth to Azure SQL Server. Expects a param to be passed to enable MSI Auth, useMsi=true.

• update go-mssqldb module to pull in msi auth support
• make code change in database/sqlserver/sqlserver.go to check for useMsi param
• dynamically get database resource uri based on the server uri
• adds adal module which is needed for fetching the msi token

PR from denisenkom/go-mssqldb that added msi support: #546

[kfcampbell]

Could this line be refactored into a helper in order to make its purpose more clear and maybe make it testable? I'm a little worried about some of these string operations being brittle with unexpected input.

[samfoxcode]

yeah, I agree. The main purpose here is to get the resource uri which could change across clouds. I'll see what I can do. Currently, if the uri is incorrect, I believe it would result in a 4xx (invalid resource uri for tenant or something similar). Will validate that behavior and update

[kfcampbell]

Sounds good, thank you! The cloud change use case is not something I had picked up from reading the code but that's super important.

[kfcampbell]

Out of curiosity, what happens if I pass useMsi as true but there's no provider available? Is it a timeout or an immediate failure?

[samfoxcode]

if the resource uri is invalid it'll timeout, but if there isn't an identity available it seems to just hang - looking into why

[kfcampbell]

Sounds good! I'm trying to think like the maintainer of the upstream package might and try to identify any failure modes introduced. I don't think there's necessarily a specific action item here and we shouldn't block merging on this comment, but I am certainly curious.

[kfcampbell]

What's the difference between this sql.OpenDB() call and the below sql.Open() call? What's the reason for using two different methods to open the database?

[samfoxcode]

sql.Open will actually end up calling sql.OpenDB behind the scenes, but it builds the connector first based on what's passed in/the db context. sql.OpenDB just expects a connector, which is this case we're building ourselves, so we can call sql.OpenDB directly in that case. This follows the mssql guidance for using msi connections: mssql msi

source code which has sql.Open and sql.OpenDB (sorry, can't permalink to sql.Open): https://golang.org/src/database/sql/sql.go

[kfcampbell]

Awesome, thanks for the explanation!

[kfcampbell]

Do you mind briefly walking me through the decision to use a higher order function here? What is it buying us?

[kfcampbell]

Ohh, I see in this PR it's due to the short-lived nature of AAD tokens and this function ensures a refresh.

[samfoxcode]

mssql.NewAccessTokenConnector expects a callback which is used to build the connection and that will be used to retrieve fresh tokens. msi.EnsureFresh() will update the token if it is about to expire, and then msi.OAuthToken() gets the token to be used for the connection

[kfcampbell]

I like these changes and I'm looking forward to being able to use them in the usage service! Managed identity SQL auth will save us a lot of headaches around rolling passwords and disaster recovery.

Do you have thoughts on the strategy to merge with the upstream repo after this merges in your branch? Some idle thoughts:

• Their contributing docs aren't suuuper helpful.
• Maybe it's best to merge here and then open up a PR in their repo.
• @taywrobel works here and has committed to the project in the past. He might be able to help us or tell us what he did to get his CockroachDB changes in.

[samfoxcode]

I like these changes and I'm looking forward to being able to use them in the usage service! Managed identity SQL auth will save us a lot of headaches around rolling passwords and disaster recovery.

Do you have thoughts on the strategy to merge with the upstream repo after this merges in your branch? Some idle thoughts:

• Their contributing docs aren't suuuper helpful.
• Maybe it's best to merge here and then open up a PR in their repo.
• @taywrobel works here and has committed to the project in the past. He might be able to help us or tell us what he did to get his CockroachDB changes in.

that was my initial thought too, have it reviewed here first then merge into the fork's main, then open a PR against the upstream

[kfcampbell]

That sounds good to me! I'm looking forward to seeing this PR on the main module. I won't "approve" this for now since I'm not quite sure of the etiquette in this fork scenario, but I'd definitely be interested in getting the maintainers' feedback soon.