Purpose
The DSA Azure AD helps prevent unauthorized access to the storage accounts. To prevent it, Teradata implemented Azure AD with DSA using the client's secret credentials approach based on the Authentication with service principles.
The config_azure command configures the Microsoft Azure Server in the DSA repository based on parameter files.
During configuration, enter the following parameters:
- Tenant_id (Azure AD tenant)
- Client_id (Registered app ID)
- Client_secret (Client secret value)
Here is a representation of the high-level architecture:
Prerequisite
- Register an app in the Azure portal to get the client ID, Azure AD tenant ID.
- Create a client secret from the Azure portal to get the client's secret value.
Register app and assign role in the Azure portal
To register app and assign role, follow these steps:
- In the Azure portal, click app registration from your AD tenant.
- Enter app name.
- Leave redirect URL blank.
- Note the client ID and tenant ID.
- Create client secret for your registered app and note the client secret value. See https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
- To assign role for your storage account, see https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current
Syntax
config_azure -f|-file FILE
Example
config_azure -f file1.xml
Parameters
- f|file filename
- The full path and name of the file containing the necessary configuration parameters.
- u|user_authentication User
- Required when security management is enabled. Supplies the command with the Viewpoint user, and triggers a password prompt for authentication.
Permissions required: Administrator role
Usage Notes
Enter tenant ID, client ID, and client secret value for the Azure storage account.
XML File Example
Here’s a representative XML file. Note that "/" must follow the prefix_name to use it as a folder.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <dscConfigAzureBlobStorage xmlns="http://schemas.teradata.com/v2012/DSC"> <config_azure_blob_storage> <!-- 'Storage account' - Required, max length 24, lowercase --> <storage_account>azurerbuda</storage_account> <!-- 'Storage account enumeration ' - Required, valid values: cool, hot --> <storage_type>cool</storage_type> <!-- Specialized endpoint for Azure Independent Clouds e.g. AzureUSGovernment, AzureChinaCloud and AzureGermanCloud - Optional --> <region></region> <blobs> <!--'Blob container name' - Required, max length 63, lowercase, at least one --> <blob_container>udaesblob01</blob_container> <prefix_list> <!-- 'Prefix name' - Required, max length 256, at least one --> <prefix_name>br186001-1</prefix_name> <storage_devices>2</storage_devices> </prefix_list> </blobs> <blobs> <blob_container>udaesblob02</blob_container> <prefix_list> <prefix_name>br186001-2</prefix_name> <storage_devices>2</storage_devices> </prefix_list> </blobs> <is_azure_ad>true</is_azure_ad> </config_azure_blob_storage> </dscConfigAzureBlobStorage>