How to authenticate with Azure Analysis Services f

2019-04-13 04:22发布

问题:

I have a c sharp class library that connects to Azure Analysis Services using the AMO library.

I'd like to use this as part of my data factory pipeline to refresh cube partitions. This is done through Azure batch as a custom .net activity.

var server = new Server();
server.Connect("Provider=MSOLAP;Data Source=asazure://uksouth.asazure.windows.net/abcd;Initial Catalog=xyz");

Running this locally works fine, however this will not run in the cloud. It currently errors out as it is not being run under my user account. I know that I can add a username and password to the connection string, but I would much rather give it some form of authorisation if that is possible.

Are there any other methods for authenticating with Azure Analysis services?

回答1:

It's possible to connect to AAS using service account now.

See working example of custom activity here.

Connection part from it can be simplified as:

var authority = "https://login.windows.net/<tenant-id>";
var resource = "https://southcentralus.asazure.windows.net";
var appId = "***";
var appSecret = "***";

AuthenticationContext authContext = new AuthenticationContext(authority);
ClientCredential credentials = new ClientCredential(appId, appSecret);
var task = authContext.AcquireTokenAsync(resource, credentials);
task.Wait();
string token = task.Result.AccessToken;

var connectionStringTemplate = "Provider=MSOLAP;Data Source=asazure://southcentralus.asazure.windows.net/xxxxxx;Initial Catalog= xxx;User ID=;Password={0};Persist Security Info=True;Impersonation Level=Impersonate";
var connectionString = string.Format(CultureInfo.InvariantCulture, connectionStringTemplate, token);

var server = new Server();
server.Connect(connectionString);

You need to give your service account access to AAS model in format app:<appId>@<tenantId>.



回答2:

I'm assuming that you can register a service principal within the context of your Azure Active Directory that can be used by the custom activity code to authenticate against SSAS. This is certainly the case for other services like Azure Data Lake.

For example create you credential using a method like this:

    private static ServiceClientCredentials AuthenticateAzure(string domainName, string clientID, string clientSecret)
    {
        SynchronizationContext.SetSynchronizationContext(new SynchronizationContext());

        var clientCredential = new ClientCredential(clientID, clientSecret);
        return ApplicationTokenProvider.LoginSilentAsync(domainName, clientCredential).Result;
    }

Check out this MS docs page on service to service authentication:

https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-authenticate-using-active-directory

If not, you might have to do this using Azure Functions instead...

https://azure.microsoft.com/en-gb/blog/automating-azure-analysis-services-processing-with-azure-functions/

Hope this helps.