Azure AD and Role Based Security Queries.

[Madhan-Rommala]

Hi Guys!

I had couple of queries related to DAB API's access related stuff.

Below are the list of components and configurations used:

• Used Azure SQL DB
• The Azure storage account's File share was used to host the Data API Builder configuration file.
• Used the Azure AD for authentication & authorization
• An Azure Container Instance running the Data API Builder container image.

Implemented the instructions mentioned in this link https://github.com/Azure/data-api-builder/blob/main/docs/authentication-azure-ad.md#authentication-with-azure-ad

• Created and configured Data API Builder's Azure AD app registration.

• While register the app, Set the supported account types to "Accounts in this organizational directory only" to restict data api access to external audience.

• Assign users/roles to Data API Builder application like below.

• DAB-Configuration-File:

`{
"$schema": "https://github.com/Azure/data-api-builder/releases/download/v0.5.35/dab.draft.schema.json",
"data-source": {
"database-type": "mssql",
"options": {
"set-session-context": false
},
"connection-string": "@env('DATABASE_CONNECTION_STRING')"
},
"runtime": {
"rest": {
"enabled": true,
"path": "/api"
},
"graphql": {
"allow-introspection": true,
"enabled": true,
"path": "/graphql"
},
"host": {
"mode": "development",
"cors": {
"origins": [
"http://localhost:5000"
],
"allow-credentials": false
},
"authentication": {
"provider": "AzureAD",
"jwt": {
"audience": "*************************",
"issuer": "https://login.microsoftonline.com/******************************/v2.0"
}
}
}
},

"entities": {
"AppName": {
"source": {
"object": "Common.AppName_DAB_test",
"type": "table",
"key-fields": [
"AppID"
]
},
"permissions": [
{
"role": "anonymous",
"actions": [
"read"
]
},
{
"role": "contributor",
"actions": [
"read",
"create"
]
}
]
}

}
}
`

So, here is my list of questions and obervations:

1. If I make any changes to the configuration file in my Azure storage account, as shown below, I must restart the Azure container instance for every time to reflect those changes. Is their any workaround to update changes automatically?
   

2. Even though we use Azure AD authentication, my Data API url's are still accessible to outside of the organisations.
   Note : while registering the app, we already enabled the property account types to "Accounts in this organizational directory only" to restict data api access to external audience.

3.I removed the "anonymous" role from the configuration file, but left the "contributor" role with "read" and "create" access enabled.. However, after removing "anonymous" role, I was unable to access the API. Please see the snaps below.

4. Please refer the below snap, In Azure AD entriprise application page, I have assigned the user with "contributor" role, and in DAB- Config file, we configured the "contributor" role with actions "read" & "create" access. However,when i invoke the Patch method, I was able to perform update operation. Ideally,it should not allow right.
   

[seantleonard]

Hi @Madhan-Rommala ,

1. Any changes to the config file require a restart of the engine to take effect. In your case, that sounds like it would be a container restart.
2. Configuring the Azure AD App Registration to "Accounts in this organizational directory only", you only restrict who can sign in to acquire an access token that would be accepted by Data Api builder. In your case, only users in your organization would be able to get such a token. To block access to your Data Api builder endpoints, you would need to implement other network/vnet/firewall rules that are outside the scope of Data Api builder engine.
3. What do your request headers look like? to execute the request in the context of a given role, like contributor, you would need to include the header X-MS-API-ROLE with value contributor in addition to providing a valid access token in the Authorize header.
4. Same comment as 3. Additionally, I tried to reproduce this on my end with a PATCH request where a single role was configured with Create,Read permissions, and received the expected 403 error:

{
    "error": {
        "code": "AuthorizationCheckFailed",
        "message": "Authorization Failure: Access Not Allowed.",
        "status": 403
    }
}

your issue could possibly occur due to your container not acquiring your latest intended configuration file.

[Madhan-Rommala]

Thank you for the detailed information, @seantleonard.

In regards to Point #3, could you please guide me to the location where the header X-MS-API-ROLE with value like contributor needs to be configured? do you mean that, it has to be configured in the dab.config.json file or something? Can you send one example for this configuration.

I needed to send the APIs to one of the development team, So that based on the user roles defined during the app registration process, they would have a particular level of access.
Like a user with a contributor role can only access APIs to create or read data. whereas a user with the Admin role can do all operations.

[seantleonard]

X-MS-API-ROLE is an HTTP header. The header and its value represent the role for which the request should be evaluated. The following screenshot demonstrates this using Postman.

[Aniruddh25]

hi @Madhan-Rommala,

could you please guide me to the location where the header X-MS-API-ROLE with value like contributor needs to be configured?

your client app needs to configure this header while sending the request to dab.
For more info, see the official docs here: https://learn.microsoft.com/en-us/azure/data-api-builder/authorization#roles-selection

Let us know if you still have questions