Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure MySQL flexible server should have Entra Only Authentication enabled [Medium] #1306

Closed
16 tasks done
emirgens opened this issue Apr 18, 2024 · 0 comments · Fixed by #1370, equinor/radix-flux#2193, equinor/radix-flux#2313, equinor/radix-flux#2316 or equinor/radix-flux#2339
Closed
16 tasks done

Azure MySQL flexible server should have Entra Only Authentication enabled [Medium] #1306

emirgens opened this issue Apr 18, 2024 · 0 comments · Fixed by #1370, equinor/radix-flux#2193, equinor/radix-flux#2313, equinor/radix-flux#2316 or equinor/radix-flux#2339
Assignees
@Richard87
Labels
security Issues related to security improvements

Comments

@emirgens
Copy link
Contributor

emirgens commented Apr 18, 2024
edited by Richard87
Loading

Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Azure Active Directory identities.
Affected: Grafana MySQL database

  • s941-radix-grafana-playground
  • s941-radix-grafana-dev
  • s940-radix-grafana-platform-prod  
  • s940-radix-grafana-extmon-prod
  • s940-radix-grafana-c2-prod

Manual remediation:
To enable Azure Active Directory Only Authentication for Azure MySQL flexible server:

  1. In Azure Portal, open your Azure MySQL Flexible Server.
  2. Click on 'Authentication' on the left pane.
  3. In 'Assign access to' under the 'Authentication' section select the 'Azure Active Directory authentication only' option and click 'Save'.
  4. To complete the configuration, once the change is deployed you will need to go to the 'Select identity' section and supply a user assigned managed identity with the permissions User.Read.All, GroupMember.Read.All and Application.Read.ALL.
  5. Assign an Azure AD admin under the 'Azure Active Directory Administrators (Azure AD Admins)' section and click 'Save'.

Plan:
@emirgens emirgens added the security Issues related to security improvements label Apr 18, 2024
@emirgens emirgens changed the title Azure MySQL flexible server should have Azure Active Directory Only Authentication enabled [security][Medium] Azure MySQL flexible server should have Entra Only Authentication enabled [security][Medium] May 2, 2024
@emirgens emirgens changed the title Azure MySQL flexible server should have Entra Only Authentication enabled [security][Medium] Azure MySQL flexible server should have Entra Only Authentication enabled [Medium] May 21, 2024
@Richard87 Richard87 self-assigned this Jun 17, 2024
@Richard87 Richard87 linked a pull request Jun 18, 2024 that will close this issue
Grafana MySQL Entra auth #1370
Merged
8 tasks
@Richard87 Richard87 linked a pull request Jun 25, 2024 that will close this issue
Add WI to grafana equinor/radix-flux#2193
Merged
@Richard87 Richard87 removed their assignment Jul 5, 2024
This was linked to pull requests Aug 13, 2024
Enable Grafana Workload Identity for DB access equinor/radix-flux#2313
Merged
Bugfix extmon certs equinor/radix-flux#2316
Merged
@Richard87 Richard87 linked a pull request Aug 22, 2024 that will close this issue
Restart Grafana when token expires equinor/radix-flux#2339
Merged
@Richard87 Richard87 linked a pull request Sep 16, 2024 that will close this issue
Remove Grafana secret reference and password auth #1450
Merged
20 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Richard87 Richard87

Labels
security Issues related to security improvements
Projects
None yet
Milestone
No milestone
2 participants
@Richard87 @emirgens