使用 Azure Active Directory 向 MySQL 进行身份验证Use Azure Active Directory for authenticating with MySQL

Azure Active Directory (Azure AD) 身份验证是一种使用 Azure AD 中定义的标识连接到 Azure Database for MySQL 的机制。Azure Active Directory (Azure AD) authentication is a mechanism of connecting to Azure Database for MySQL using identities defined in Azure AD. 通过 Azure AD 身份验证,可以在一个中心位置集中管理数据库用户标识和其他 Microsoft 服务,从而简化权限管理。With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management.

使用 Azure AD 带来的优势包括:Benefits of using Azure AD include:

  • 以统一的方式跨 Azure 服务对用户进行身份验证Authentication of users across Azure Services in a uniform way
  • 在统一的位置管理密码策略和密码轮换Management of password policies and password rotation in a single place
  • Azure Active Directory 支持多种形式的身份验证,无需存储密码Multiple forms of authentication supported by Azure Active Directory, which can eliminate the need to store passwords
  • 客户可以使用外部 (Azure AD) 组管理数据库权限。Customers can manage database permissions using external (Azure AD) groups.
  • Azure AD 身份验证使用 MySQL 数据库用户在数据库级别对标识进行身份验证Azure AD authentication uses MySQL database users to authenticate identities at the database level
  • 支持对连接到 Azure Database for MySQL 的应用程序进行基于令牌的身份验证Support of token-based authentication for applications connecting to Azure Database for MySQL

若要配置和使用 Azure Active Directory 身份验证,请遵循以下过程:To configure and use Azure Active Directory authentication, use the following process:

  1. 根据需要,创建 Azure Active Directory,并使用用户标识进行填充。Create and populate Azure Active Directory with user identities as needed.
  2. (可选)关联 Active Directory,或更改当前与 Azure 订阅关联的 Active Directory。Optionally associate or change the Active Directory currently associated with your Azure subscription.
  3. 创建 Azure Database for MySQL 服务器的 Azure AD 管理员。Create an Azure AD administrator for the Azure Database for MySQL server.
  4. 在数据库中创建可映射到 Azure AD 标识的数据库用户。Create database users in your database mapped to Azure AD identities.
  5. 通过检索 Azure AD 标识的令牌并登录,连接到数据库。Connect to your database by retrieving a token for an Azure AD identity and logging in.

备注

若要了解如何创建和填充 Azure AD,并为 Azure Database for PostgreSQL 配置 Azure AD,请参阅为 Azure Database for MySQL 配置 Azure AD 并使用它登录To learn how to create and populate Azure AD, and then configure Azure AD with Azure Database for MySQL, see Configure and sign in with Azure AD for Azure Database for MySQL.

体系结构Architecture

以下概要图概述了对 Azure Database for MySQL 使用 Azure AD 身份验证进行身份验证的工作原理。The following high-level diagram summarizes how authentication works using Azure AD authentication with Azure Database for MySQL. 箭头表示通信路径。The arrows indicate communication pathways.

身份验证流

管理员结构Administrator structure

使用 Azure AD 身份验证时,有两个 MySQL 服务器管理员帐户:原始 MySQL 管理员和 Azure AD 管理员。When using Azure AD authentication, there are two Administrator accounts for the MySQL server; the original MySQL administrator and the Azure AD administrator. 只有基于 Azure AD 帐户的管理员可以在用户数据库中创建第一个 Azure AD 包含的数据库用户。Only the administrator based on an Azure AD account can create the first Azure AD contained database user in a user database. Azure AD 管理员登录名可以是 Azure AD 用户,也可以是 Azure AD 组。The Azure AD administrator login can be an Azure AD user or an Azure AD group. 当管理员为组帐户时,可以由任何组成员使用,从而为 MySQL 服务器启用多个 Azure AD 管理员。When the administrator is a group account, it can be used by any group member, enabling multiple Azure AD administrators for the MySQL server. 以管理员身份使用组帐户可便于集中添加和删除 Azure AD 中的组成员,而无需更改 MySQL 服务器中的用户或权限,从而提高了可管理性。Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Azure AD without changing the users or permissions in the MySQL server. 无论何时都仅可配置一个 Azure AD 管理员(一个用户或组)。Only one Azure AD administrator (a user or group) can be configured at any time.

管理结构

权限Permissions

若要新建可使用 Azure AD 进行身份验证的用户,必须具有指定的 Azure AD 管理员角色。To create new users that can authenticate with Azure AD, you must be the designed Azure AD administrator. 此用户是通过为特定 Azure Database for MySQL 服务器配置 Azure AD 管理员帐户来分配的。This user is assigned by configuring the Azure AD Administrator account for a specific Azure Database for MySQL server.

若要新建 Azure AD 数据库用户,必须以 Azure AD 管理员身份连接。To create a new Azure AD database user, you must connect as the Azure AD administrator. 为 Azure Database for MySQL 配置 Azure AD 并使用它登录中对此进行了演示。This is demonstrated in Configure and Login with Azure AD for Azure Database for MySQL.

只有在为 Azure Database for MySQL 创建 Azure AD 管理员后,才能进行任何 Azure AD 身份验证。Any Azure AD authentication is only possible if the Azure AD admin was created for Azure Database for MySQL. 如果已从服务器删除 Azure Active Directory 管理员,先前创建的现有 Azure Active Directory 用户便无法再使用其 Azure Active Directory 凭据连接到数据库。If the Azure Active Directory admin was removed from the server, existing Azure Active Directory users created previously can no longer connect to the database using their Azure Active Directory credentials.

使用 Azure AD 标识进行连接Connecting using Azure AD identities

Azure Active Directory 身份验证支持使用 Azure AD 标识连接到数据库的以下方法:Azure Active Directory authentication supports the following methods of connecting to a database using Azure AD identities:

  • Azure Active Directory 密码Azure Active Directory Password
  • 集成式 Azure Active DirectoryAzure Active Directory Integrated
  • 采用了 MFA 的通用 Azure Active DirectoryAzure Active Directory Universal with MFA
  • 使用 Active Directory 应用程序证书或客户端密码Using Active Directory Application certificates or client secrets
  • 托管标识Managed Identity

执行 Active Directory 身份验证后,就可以检索令牌了。Once you have authenticated against the Active Directory, you then retrieve a token. 此令牌是用于登录的密码。This token is your password for logging in.

请注意,目前仅 Azure AD 用户角色支持管理操作,例如添加新用户。Please note that management operations, such as adding new users, are only supported for Azure AD user roles at this point.

备注

若要详细了解如何使用 Active Directory 令牌进行连接,请参阅为 Azure Database for MySQL 配置 Azure AD 并使用它登录For more details on how to connect with an Active Directory token, see Configure and sign in with Azure AD for Azure Database for MySQL.

其他注意事项Additional considerations

  • Azure Active Directory 身份验证仅适用于 MySQL 5.7 和更高版本。Azure Active Directory authentication is only available for MySQL 5.7 and newer.
  • 无论何时都只能为 Azure Database for MySQL 服务器配置一个 Azure AD 管理员。Only one Azure AD administrator can be configured for a Azure Database for MySQL server at any time.
  • 只有 MySQL 的 Azure AD 管理员最初可以使用 Azure Active Directory 帐户连接到 Azure Database for MySQL。Only an Azure AD administrator for MySQL can initially connect to the Azure Database for MySQL using an Azure Active Directory account. Active Directory 管理员可以配置后续的 Azure AD 数据库用户。The Active Directory administrator can configure subsequent Azure AD database users.
  • 如果已从 Azure AD 中删除某个用户,此用户就无法再使用 Azure AD 进行身份验证,所以也就无法再获取此用户的访问令牌。If a user is deleted from Azure AD, that user will no longer be able to authenticate with Azure AD, and therefore it will no longer be possible to acquire an access token for that user. 在这种情况下,尽管匹配用户仍保留在数据库中,但无法使用此用户连接到服务器。In this case, although the matching user will still be in the database, it will not be possible to connect to the server with that user.

备注

在令牌到期前(自令牌颁发起最长 60 分钟后到期),仍可以使用已删除的 Azure AD 用户进行登录。Login with the deleted Azure AD user can still be done till the token expires (up to 60 minutes from token issuing). 如果同时还从 Azure Database for MySQL 中删除了用户,此访问权限会立即撤销。If you also remove the user from Azure Database for MySQL this access will be revoked immediately.

  • 如果从服务器中删除 Azure AD 管理员,那么服务器将不再与 Azure AD 租户关联,因此也就会对服务器禁用所有 Azure AD 登录。If the Azure AD admin is removed from the server, the server will no longer be associated with an Azure AD tenant, and therefore all Azure AD logins will be disabled for the server. 从同一租户中添加新的 Azure AD 管理员会重新启用 Azure AD 登录。Adding a new Azure AD admin from the same tenant will re-enable Azure AD logins.
  • Azure Database for MySQL 使用用户的唯一 Azure AD 用户 ID(而不是用户名),将访问令牌与 Azure Database for MySQL 用户进行匹配。Azure Database for MySQL matches access tokens to the Azure Database for MySQL user using the user's unique Azure AD user ID, as opposed to using the username. 也就是说,如果你在 Azure AD 中删除 Azure AD 用户,然后新建了一个同名用户,那么 Azure Database for MySQL 会认为这是一个不同的用户。This means that if an Azure AD user is deleted in Azure AD and a new user created with the same name, Azure Database for MySQL considers that a different user. 因此,如果你从 Azure AD 中删除某个用户,然后添加了一个同名的新用户,那么新用户将无法使用现有用户进行连接。Therefore, if a user is deleted from Azure AD and then a new user with the same name added, the new user will not be able to connect with the existing user.

后续步骤Next steps