add support for Azure SQL by adding Active Directory authentication methods

README.md

@@ -15,35 +15,78 @@ Easiest install is to use pip:
     pip install dbt-sqlserver
 
 On Ubuntu make sure you have the ODBC header files before installing
-
-    sudo apt install unixodbc-dev
-
-## Configure your profile
-Configure your dbt profile for using SQL Server authentication or Integrated Security:
-##### SQL Server authentication 
-      type: sqlserver
-      driver: 'ODBC Driver 17 for SQL Server' (The ODBC Driver installed on your system)
-      server: server-host-name or ip
-      port: 1433
-      user: username
-      password: password
-      database: databasename
-      schema: schemaname
-
-##### Integrated Security
-      type: sqlserver
-      driver: 'ODBC Driver 17 for SQL Server'
-      server: server-host-name or ip
-      port: 1433
-      user: username
-      schema: schemaname
-      windows_login: True
+
+```
+sudo apt install unixodbc-dev
+```
+
+## Authentication
+
+the following is needed for every target definition for both SQL Server and Azure SQL.  The sections below details how to connect to SQL Server and Azure SQL specifically.
+```
+type: sqlserver
+driver: 'ODBC Driver 17 for SQL Server' (The ODBC Driver installed on your system)
+server: server-host-name or ip
+port: 1433
+schema: schemaname
+```
+
+### standard SQL Server authentication
+SQL Server credentials are supported for on-prem as well as cloud, and it is the default authentication method for `dbt-sqlsever`
+```
+user: username
+password: password
+```
+### Windows Authentication (SQL Server-specific)
+
+```
+windows_login: True
+```
+alternatively
+```
+trusted_connection: True
+```
+### Azure SQL-specific auth
+The following [`pyodbc`-supported ActiveDirectory methods](https://docs.microsoft.com/en-us/sql/connect/odbc/using-azure-active-directory?view=sql-server-ver15#new-andor-modified-dsn-and-connection-string-keywords) are available to authenticate to Azure SQL:
+- ActiveDirectory Password
+- ActiveDirectory Interactive
+- ActiveDirectory Integrated
+- Service Principal (a.k.a. AAD Application)
+- ~~ActiveDirectory MSI~~ (not implemented)
+
+#### ActiveDirectory Password 
+Definitely not ideal, but available
+```
+authentication: ActiveDirectoryPassword
+user: bill.gates@microsoft.com
+password: i<3opensource?
+```
+#### ActiveDirectory Interactive (*Windows only*)
+brings up the Azure AD prompt so you can MFA if need be.
+```
+authentication: ActiveDirectoryInteractive
+user: bill.gates@microsoft.com
+```
+#### ActiveDirectory Integrated (*Windows only*)
+uses your machine's credentials (might be disabled by your AAD admins)
+```
+authentication: ActiveDirectoryIntegrated
+```
+##### Service Principal
+`client_*` and `app_*` can be used interchangeably
+```
+tenant_id: ActiveDirectoryIntegrated
+client_id: clientid
+client_secret: ActiveDirectoryIntegrated
+```
 
 ## Supported features
 
 ### Materializations
 - Table: 
-    - Will be materialized as columns store index by default (requires SQL Server 2017 as least). To override:
+    - Will be materialized as columns store index by default (requires SQL Server 2017 as least). 
+      (For Azure SQL requires Service Tier greater than S2)
+    To override:
 {{
   config(
     as_columnstore = false,

dbt/adapters/sqlserver/connections.py

@@ -1,18 +1,39 @@
 from contextlib import contextmanager
 
 import pyodbc
+import os
 import time
+import struct
 
 import dbt.exceptions
 from dbt.adapters.base import Credentials
 from dbt.adapters.sql import SQLConnectionManager
+from azure.identity import DefaultAzureCredential
 
 from dbt.logger import GLOBAL_LOGGER as logger
 
 from dataclasses import dataclass
 from typing import Optional
 
 
+def create_token(tenant_id, client_id, client_secret):
+    # bc DefaultAzureCredential will look in env variables
+    os.environ['AZURE_TENANT_ID'] = tenant_id
+    os.environ['AZURE_CLIENT_ID'] = client_id
+    os.environ['AZURE_CLIENT_SECRET'] = client_secret
+
+    token = DefaultAzureCredential().get_token(
+        'https://database.windows.net//.default')
+    # convert to byte string interspersed with the 1-byte
+    # TODO decide which is cleaner?
+    # exptoken=b''.join([bytes({i})+bytes(1) for i in bytes(token.token, "UTF-8")])
+    exptoken = bytes(1).join([bytes(i, "UTF-8") for i in token.token])+bytes(1)
+    # make c object with bytestring length prefix
+    tokenstruct = struct.pack("=i", len(exptoken)) + exptoken
+
+    return tokenstruct
+
+
 @dataclass
 class SQLServerCredentials(Credentials):
     driver: str
@@ -23,14 +44,16 @@ class SQLServerCredentials(Credentials):
     UID: Optional[str] = None
     PWD: Optional[str] = None
     windows_login: Optional[bool] = False
+    tenant_id: Optional[str] = None
+    client_id: Optional[str] = None
+    client_secret: Optional[str] = None
+    # "sql", "ActiveDirectoryPassword" or "ActiveDirectoryInteractive", or
+    # "ServicePrincipal"
+    authentication: Optional[str] = "sql"
+    encrypt: Optional[str] = "yes"
 
     _ALIASES = {
-        'user': 'UID'
-        , 'username': 'UID'
-        , 'pass': 'PWD'
-        , 'password': 'PWD'
-        , 'server': 'host'
-        , 'trusted_connection': 'windows_login'
+        'user': 'UID', 'username': 'UID', 'pass': 'PWD', 'password': 'PWD', 'server': 'host', 'trusted_connection': 'windows_login', 'auth': 'authentication', 'app_id': 'client_id', 'app_secret': 'client_secret'
     }
 
     @property
@@ -40,11 +63,17 @@ def type(self):
     def _connection_keys(self):
         # return an iterator of keys to pretty-print in 'dbt debug'
         # raise NotImplementedError
-        return 'server', 'database', 'schema', 'port', 'UID', 'windows_login'
+        if self.windows_login is True:
+            self.authentication = "Windows Login"
+
+
+        return 'server', 'database', 'schema', 'port', 'UID', \
+                 'authentication', 'encrypt'
 
 
 class SQLServerConnectionManager(SQLConnectionManager):
     TYPE = 'sqlserver'
+    TOKEN = None
 
     @contextmanager
     def exception_handler(self, sql):
@@ -97,16 +126,55 @@ def open(cls, connection):
 
             con_str.append(f"Database={credentials.database}")
 
-            if not getattr(credentials, 'windows_login', False):
-                con_str.append(f"UID={credentials.UID}")
-                con_str.append(f"PWD={credentials.PWD}")
-            else:
+            type_auth = getattr(credentials, 'authentication', 'sql')
+
+            if 'ActiveDirectory' in type_auth:
+                con_str.append(f"Authentication={credentials.authentication}")
+
+                if type_auth == "ActiveDirectoryPassword":
+                    con_str.append(f"UID={{{credentials.UID}}}")
+                    con_str.append(f"PWD={{{credentials.PWD}}}")
+                elif type_auth == "ActiveDirectoryInteractive":
+                    con_str.append(f"UID={{{credentials.UID}}}")
+                elif type_auth == "ActiveDirectoryIntegrated":
+                    # why is this necessary???
+                    con_str.remove("UID={None}")
+                elif type_auth == "ActiveDirectoryMsi":
+                    raise ValueError("ActiveDirectoryMsi is not supported yet")
+
+            elif type_auth == 'ServicePrincipal':
+                app_id = getattr(credentials, 'AppId', None)
+                app_secret = getattr(credentials, 'AppSecret', None)
+
+            elif getattr(credentials, 'windows_login', False):
                 con_str.append(f"trusted_connection=yes")
+            elif type_auth == 'sql':
+                con_str.append("Authentication=SqlPassword")
+                con_str.append(f"UID={{{credentials.UID}}}")
+                con_str.append(f"PWD={{{credentials.PWD}}}")
+
+            if not getattr(credentials, 'encrypt', False):
+                con_str.append(f"Encrypt={credentials.encrypt}")
 
             con_str_concat = ';'.join(con_str)
             logger.debug(f'Using connection string: {con_str_concat}')
 
-            handle = pyodbc.connect(con_str_concat, autocommit=True)
+            if type_auth != 'ServicePrincipal':
+                handle = pyodbc.connect(con_str_concat, autocommit=True)
+
+            elif type_auth == 'ServicePrincipal':
+
+                # create token if it does not exist
+                if cls.TOKEN is None:
+                    tenant_id = getattr(credentials, 'tenant_id', None)
+                    client_id = getattr(credentials, 'client_id', None)
+                    client_secret = getattr(credentials, 'client_secret', None)
+
+                    cls.TOKEN = create_token(tenant_id, client_id, client_secret)
+
+                handle = pyodbc.connect(con_str_concat,
+                                        attrs_before = {1256:cls.TOKEN},
+                                        autocommit=True) 
 
             connection.state = 'open'
             connection.handle = handle

setup.py

@@ -27,5 +27,6 @@
     install_requires=[
         'dbt-core>=0.18.0',
         'pyodbc>=4.0.27',
+        'azure-identity>=1.4.0'
     ]
 )