I am having some trouble integrating QuestDB Enterprise with Azure EntraId/Active Directory. I believe I have everything in place, but I am stuck. This is what I did so far:
I also changed my server.conf with these parameters:
acl.oidc.enabled=true
acl.oidc.ropc.flow.enabled=true
acl.oidc.groups.claim=groups
# Microsoft EntraID (Azure AD)
acl.oidc.configuration.url=https://login.microsoftonline.com/XXXXXXXX-6cec-4b6c-ba03-XXXXXXX/v2.0/.well-known/openid-configuration
acl.oidc.sub.claim=name
acl.oidc.groups.encoded.in.token=true
acl.oidc.client.id=XXXXXXX-246e-4dd1-960b-XXXXXX
acl.oidc.redirect.uri=https://myquestdb:9000
acl.oidc.scope=openid profile offline_access api://XXXXXXX-246e-4dd1-960b-XXXXXX/User.Groups
When I navigate to my QuestDB, I can select SSO and it redirects me to Azure for authentication. All good. Problem is the logged user has no permissions on QuestDB, and I have no idea how to grant them. I was expecting on sign-in the user or groups from my AD would be available on QuestDB, but if I execute SHOW USERS I see only my admin user, and SHOW GROUPS is not showing anything
When QuestDB Enterprise is working with SSO, it doesn't store users or groups from the remote server. We need to create a local group in QuestDB as a proxy for an external group on AD, and then we GRANT permissions to that group. When a user is authenticated, QuestDB will know which groups it is part of and will grant privileges based on that.
All that was remaining on the configuration above was creating a group in QuestDB that connects with the Entra ID group.
create group group_entraid with external alias 'XXXXX-64e4-435a-8f2b-XXX';
The alias is the ObjectID for the group on AD.
After the group is matched we can already grant permissions for the group members to use the web console and the PGWIRE protocol and any other database/table grants we need.
grant HTTP, PGWIRE TO group_entraid;
grant SELECT on table1 to group_entraid;