Azure’s passwordless authentication balances security and user convenience to provide a robust solution for enhancing the security and usability of PostgreSQL database access. Passwordless authentication allows your organization to minimize the risks associated with traditional password management and offer users a more seamless experience. This page shows you how to configure passwordless authentication for the Metastore in Azure and outlines the various passwordless authentication methods that we support.
Prerequisites
- Standalone
- Cloud Native
- Configure your Azure database for PostgreSQL to enable passwordless authentication.
- Export the environment variable
SPRING_PROFILES_ACTIVE=AZURE_ENVin the owl-env.sh file.
- Configure your Azure database for PostgreSQL to enable passwordless authentication.
- Pass the following Helm Chart variables:
--set global.configMap.data.active_profile={AZURE_ENV} \
--set global.serviceAccount.annotations."azure\.workload\.identity/client-id"=<client-id> \
Setting up Azure passwordless authentication
- Standalone
- Cloud Native
There are 3 methods you can use to authenticate Azure databases.
Environmental credentials
This method checks for credentials provided through environment variables. Export the following environment variables in the owl-env.sh file to enable this authentication method.
| Variable | Description |
|---|---|
| AZURE_TENANT_ID | The Microsoft Entra tenant (directory) ID. |
| AZURE_CLIENT_ID | The client (application) ID of an App Registration in the tenant. |
| AZURE_CLIENT_SECRET | A client secret that was generated for the App Registration. |
Managed identity credentials
Additional setup is not required to enable managed identity. For more information, see the official Azure documentation to configure managed identities to enable authentication for PostgreSQL Metastores .
Azure CLI credentials
Note While this authentication method is supported, we recommend the environmental credentials or managed identity credentials options instead.
This method requires the Azure CLI to be enabled on the Azure virtual machine and the principal authenticated with the PostgreSQL database. When this is set up, Collibra Data Quality & Observability executes the az account get-access-token --output json to retrieve the token to authenticate with PostgreSQL.
Workload identity credentials
- Enable the Azure cluster for workload identity.
- Enable federation for the Spark service account used by Collibra Data Quality & Observability.
- Deploy Collibra Data Quality & Observability with the following Helm variables where
managed-identity-idis the name of the managed identity andclient-idis the client ID of the managed identity. -
Mount the Spark driver and executor pod templates with metadata enabled.
-
Add the following to the Freeform (Appended) field on the Agent Configuration template to use the custom executor and driver pod templates.
az aks update --resource-group "${RESOURCE_GROUP}" --name "${CLUSTER_NAME}" --enable-oidc-issuer --enable-workload-identityaz identity federated-credential create --name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} --identity-name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RESOURCE_GROUP}" --issuer "${AKS_OIDC_ISSUER}" --subject system:serviceaccount:"${SERVICE_ACCOUNT_NAMESPACE}":"${SERVICE_ACCOUNT_NAME}" --audience api://AzureADTokenExchange--set global.configMap.data.metastore_user=<managed-identity-id> \
--set global.configMap.data.metastore_pass=blank \
--set global.configMap.data.active_profile={AZURE_ENV} \
--set global.serviceAccount.annotations."azure\.workload\.identity/client-id"=<client-id> \apiVersion: v1
Kind: Pod
metadata:
labels:
azure.workload.identity/use: "true"
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000-conf spark.kubernetes.driver.podTemplateFile=local:///opt/owl/config/k8s-driver-template.yml,spark.kubernetes.executor.podTemplateFile=local:///opt/owl/config/k8s-executor-template.ymlFor more information about configuring your Azure cluster with workload identity, see the official Azure documentation .