使用服务主体的Azure分析服务连接不起作用 [英] Azure analysis service connection using Service principal not working

问题描述

我正在尝试使用ADOMD连接到Azure分析服务，并使用服务主体进行身份验证.因此，我完成了以下操作:

I am trying to connect to Azure Analysis services using ADOMD and authenticated using a Service principal. So I have done following:

1. 在AAD中创建应用.
2. 授予应用程序(服务主体)对Azure Analysis Service的读取权限.

下面是我连接到Azure分析服务的代码.

Below is my code to connect to Azure Analysis service.

            var clientId = "******";
            var clientSecret = "*****";
            var domain = "****.onmicrosoft.com";
            var ssasUrl = "northeurope.asazure.windows.net";
            var token = await TokenHelper.GetAppOnlyAccessToken(domain, $"https://{ssasUrl}", clientId, clientSecret);

            var connectionString = $"Provider=MSOLAP;Data Source=asazure://{ssasUrl}/{modelname};Initial Catalog= adventureworks;User ID=;Password={token};Persist Security Info=True;Impersonation Level=Impersonate";
            var ssasConnection = new AdomdConnection(connectionString);
            ssasConnection.Open();
            var query = @"Evaluate TOPN(10,Customer,Customer[Customer Id],1)";
            var cmd = new AdomdCommand(query)
            {
                Connection = ssasConnection
            };
            using (var reader = cmd.ExecuteXmlReader())
            {
                string value = reader.ReadOuterXml();
                Console.WriteLine(value);
            }

我能够获得有效的访问令牌，但是在尝试打开连接时出现以下错误:

I am able to get a valid access token, but I get following error when trying to open the connection:

AdomdErrorResponseException:"app:xxxxxxx @ xxxxxx"用户无权访问"adventureworks"数据库，或者该数据库不存在.

其他信息::

1. 我已验证通过Azure门户对Azure分析服务的Service主体授予了权限(读者也尝试了贡献).
2. 我尝试使用服务帐户(用户名和密码)使用相同的代码，并且可以正常工作.
3. 如果我从连接字符串中删除"Initial Catalog = Adventureworks"，则我的连接将成功.但是我不明白为什么Analysis Services权限没有传播到模型.

解决方案:

很抱歉，发布此消息后，我自己得到了解决方案.上面的第3点给了我一个线索.通过门户网站对Azure分析服务的授予权限不会传播到服务主体(Azuire AD应用程序)的模型.

Silly that I got the resolution by myself just after posting this. The point no 3 above gave me a clue.Granting permission on the Azure analysis services through the portal does not propagate to the model for the Service principals (Azuire AD apps).

步骤:

1. 在Sql服务器Mgmt Studio中打开Azure分析服务.
2. 在目标模型中，转到角色.

3. 在获得许可的情况下将服务主体添加到所需角色.服务主体以以下格式添加:

1. Open the Azure analysis service in Sql server Mgmt Studio.
2. In the target model, go to Roles.

3. Add the service principal into required role with permission. Service principal is added in below format:

app:[appid] @ [tenantid]

app:[appid]@[tenantid]

示例:app:8249E22B-CFF9-440C-AF27-60064A5743CE @ 86F119BE-D703-49E2-8B5F-72392615BB97

example : app:8249E22B-CFF9-440C-AF27-60064A5743CE@86F119BE-D703-49E2-8B5F-72392615BB97

推荐答案

很遗憾，我在发布此文件后自行获得了解决方案.上面的第3点给了我一个线索.通过门户网站对Azure分析服务的授予权限不会传播到服务主体(Azure AD应用程序)的模型.

Silly that I got the resolution by myself just after posting this. The point no 3 above gave me a clue.Granting permission on the Azure analysis services through the portal does not propagate to the model for the Service principals (Azure AD apps).

步骤:

1. 在Sql服务器Mgmt Studio中打开Azure分析服务.
2. 在目标模型中，转到角色.

3. 在获得许可的情况下将服务主体添加到所需角色.服务主体以以下格式添加:

1. Open the Azure analysis service in Sql server Mgmt Studio.
2. In the target model, go to Roles.

3. Add the service principal into required role with permission. Service principal is added in below format:

app:[appid] @ [tenantid]

app:[appid]@[tenantid]

示例:app:8249E22B-CFF9-440C-AF27-60064A5743CE @ 86F119BE-D703-49E2-8B5F-72392615BB97

example : app:8249E22B-CFF9-440C-AF27-60064A5743CE@86F119BE-D703-49E2-8B5F-72392615BB97

我在这里写了我的全部经历:

I have blogged my whole experience here:https://unnieayilliath.com/2017/11/12/connecting-to-azure-analysis-services-using-adomd/

这篇关于使用服务主体的Azure分析服务连接不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！