Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-878

microsoft.sql.server AD - Remove creating the privileged account login

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • ansible-collection-microsoft-sql-2.0.1-1.el9
    • None
    • None
    • rhel-system-roles
    • None
    • QE ack, Dev ack
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Bug Fix
    • Hide
      .The `mssql` Ansible role no longer creates AD-based SQL Server logins

      Previously, the `mssql` Ansible role automatically created logins for users with administrator permissions. To prevent potential security leaks, this update removes the functionality. As a result, the role now does not create any Active Directory-based SQL Server logins and the users are now responsible for creating their accounts and are informed about this in the `README.md` file.
      Show
      .The `mssql` Ansible role no longer creates AD-based SQL Server logins Previously, the `mssql` Ansible role automatically created logins for users with administrator permissions. To prevent potential security leaks, this update removes the functionality. As a result, the role now does not create any Active Directory-based SQL Server logins and the users are now responsible for creating their accounts and are informed about this in the `README.md` file.
    • In Progress
    • None

      Enhancement: For AD integration - remove the functionality to automatically create privileged account login in SQL Server.

      Reason: This is required to ensure that the role does not create security leaks by silently creating accounts for users with admin permissions. Least privileged access and separation of duty are core security practices that the role should account.

      Result: The role now does not create any Active Directory-based SQL Server logins, users are now responsible for doing this and are informed about this in README.md.

      Acceptance Criteria:
      The role now does not create Windows logins, so users are expected to create them themselves. E.g. by setting the following variables when running the role:

          __mssql_ad_login: domain\Administrator
          mssql_post_input_sql_content: |-
            USE master;
            IF NOT EXISTS (
              SELECT name FROM sys.server_principals
              WHERE name = '{{ __mssql_ad_login }}'
            )
            BEGIN
              PRINT 'A {{ __mssql_ad_login }} login does not exist, creating';
              CREATE LOGIN [\{{ __mssql_ad_login }}] FROM WINDOWS;
              PRINT 'The {{ __mssql_ad_login }} login created successfully';
            END
            ELSE
            BEGIN
              PRINT 'A {{ __mssql_ad_login }} login already exists, skipping'
            END

              spetros@redhat.com Sergei Petrosian
              spetros@redhat.com Sergei Petrosian
              Sergei Petrosian Sergei Petrosian
              Daniel Yeisley Daniel Yeisley
              Lucie Varakova Lucie Varakova
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: