Description
SqlServerLogins are using the password of the sql server reference instead of the secretname that they reference to determine password for the Login.
Steps to reproduce
- Setup a SqlServerLogin
- Password used to create Login is the password for the sql server higher priv password
Observe that only password for sql server ref is passed to the ensure login method
|
var (username, password) = await GetSqlServerCredentialsAsync(resolvedDb.SecretName, entity.Metadata.NamespaceProperty); |
|
await EnsureLoginExistsAsync(entity.Spec.LoginName, entity.Spec.AuthenticationType, resolvedDb.Host, username, password); |
Observe that same password value is used to connect to database as well as for the login
|
var builder = new SqlConnectionStringBuilder |
|
{ |
|
DataSource = server, |
|
UserID = username, |
|
Password = password, |
|
InitialCatalog = "master", |
|
TrustServerCertificate = true, |
|
Encrypt = false, |
|
}; |
|
|
|
var commandText = @" |
|
IF NOT EXISTS (SELECT name FROM sys.sql_logins WHERE name = @LoginName) |
|
BEGIN |
|
DECLARE @sql NVARCHAR(MAX) = N'CREATE LOGIN [' + @LoginName + '] WITH PASSWORD = N''' + @Password + ''''; |
|
EXEC sp_executesql @sql; |
|
END"; |
|
|
|
var parameters = new Dictionary<string, object> |
|
{ |
|
["@LoginName"] = loginName, |
|
["@Password"] = password |
|
}; |
|
|
|
await sqlExecutor.ExecuteNonQueryAsync(builder.ConnectionString, commandText, parameters); |
Expected behavior
SqlServerLogin.spec.secretName should be used to set variable loginPassword in the same manner that the sql server login for the server is resolved (inject in ResolveAsync method after username and password vars are defined and populated.
var (_, loginPassword) = await GetSqlServerCredentialsAsync(entity.Spec.SecretName, entity.Metadata.NamespaceProperty);
Passing this variable to a modified EnsureLoginExistsAsync with additional parameter for "string loginPassword".
Modify the following section
|
var parameters = new Dictionary<string, object> |
|
{ |
|
["@LoginName"] = loginName, |
|
["@Password"] = password |
|
}; |
to
var parameters = new Dictionary<string, object>
{
["@LoginName"] = loginName,
["@Password"] = loginPassword
};
Screenshots
If applicable, add screenshots.
Environment details
- OS: [e.g., Ubuntu, Windows, MacOS]
- Browser: [e.g., Chrome, Safari, Firefox]
- Version: [e.g., v1.0.2]
Additional context
Add any additional context or logs here.
Description
SqlServerLogins are using the password of the sql server reference instead of the secretname that they reference to determine password for the Login.
Steps to reproduce
Observe that only password for sql server ref is passed to the ensure login method
KubeSQLServer-Operator/src/OperatorTemplate.Operator/Controllers/V1Alpha1/SqlServerLoginController.cs
Lines 33 to 34 in 6ccdbee
Observe that same password value is used to connect to database as well as for the login
KubeSQLServer-Operator/src/OperatorTemplate.Operator/Controllers/V1Alpha1/SqlServerLoginController.cs
Lines 85 to 108 in 6ccdbee
Expected behavior
SqlServerLogin.spec.secretName should be used to set variable loginPassword in the same manner that the sql server login for the server is resolved (inject in ResolveAsync method after username and password vars are defined and populated.
Passing this variable to a modified
EnsureLoginExistsAsyncwith additional parameter for "string loginPassword".Modify the following section
KubeSQLServer-Operator/src/OperatorTemplate.Operator/Controllers/V1Alpha1/SqlServerLoginController.cs
Lines 102 to 106 in 6ccdbee
to
Screenshots
If applicable, add screenshots.
Environment details
Additional context
Add any additional context or logs here.