From e7b3ef548ee73430d1f60d950c45d7a8e17d745d Mon Sep 17 00:00:00 2001 From: Dimitri Fontaine Date: Mon, 6 Jul 2026 14:31:27 +0200 Subject: [PATCH] fix(mssql): remove invalid auth modes; suppress azure-identity log noise MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ActiveDirectoryAzCli and ActiveDirectoryWorkloadIdentity do not exist in the mssql-jdbc 12.6.1 SqlAuthentication enum — they are .NET/Go driver concepts only. Remove both from docs and tests. Add ActiveDirectoryIntegrated (Kerberos) and ActiveDirectoryServicePrincipalCertificate to the docs table as they are valid mssql-jdbc modes confirmed by javap. Suppress verbose azure-identity DefaultAzureCredential chain probe messages (EnvironmentCredential unavailable, WorkloadIdentity unavailable, ManagedIdentityCredential unavailable, etc.) in logback.xml by setting com.azure.identity to WARN and com.microsoft.aad.msal4j to ERROR. These INFO-level messages are expected on a developer machine but extremely noisy when multiple connection threads each walk the full credential chain. Reported by audunsolemdal in #1754. --- clojure/resources/logback.xml | 7 +++ clojure/test/pgloader/load_file/ast_test.clj | 4 +- docs/ref/mssql.rst | 45 +++++++++----------- 3 files changed, 28 insertions(+), 28 deletions(-) diff --git a/clojure/resources/logback.xml b/clojure/resources/logback.xml index a0a21ac3..da9d0be8 100644 --- a/clojure/resources/logback.xml +++ b/clojure/resources/logback.xml @@ -21,6 +21,13 @@ + + + + diff --git a/clojure/test/pgloader/load_file/ast_test.clj b/clojure/test/pgloader/load_file/ast_test.clj index 5a3b9252..7ee61f2c 100644 --- a/clojure/test/pgloader/load_file/ast_test.clj +++ b/clojure/test/pgloader/load_file/ast_test.clj @@ -95,12 +95,12 @@ "com.microsoft.aad.msal4j must be on the classpath for ActiveDirectoryPassword / ActiveDirectoryServicePrincipal auth"))) (deftest test-azure-identity-on-classpath - (testing "azure-identity is bundled — ActiveDirectoryDefault / AzCli / WorkloadIdentity auth modes are available" + (testing "azure-identity is bundled — ActiveDirectoryDefault auth mode is available" (is (try (Class/forName "com.azure.identity.DefaultAzureCredentialBuilder") true (catch ClassNotFoundException _ false)) - "com.azure.identity must be on the classpath for ActiveDirectoryDefault / ActiveDirectoryAzCli / ActiveDirectoryWorkloadIdentity auth"))) + "com.azure.identity must be on the classpath for ActiveDirectoryDefault auth"))) (deftest test-parse-postgresql-synthesises-jdbc-url (testing "postgresql:// synthesises jdbc-url" diff --git a/docs/ref/mssql.rst b/docs/ref/mssql.rst index f030231e..8ef9e562 100644 --- a/docs/ref/mssql.rst +++ b/docs/ref/mssql.rst @@ -356,21 +356,21 @@ and ``authentication=`` reach the driver exactly as written. Quick reference: -+--------------------------------------+------------------------------------------------+ -| Mode | Typical use case | -+======================================+================================================+ -| ``ActiveDirectoryServicePrincipal`` | CI/CD — app registration (client ID + secret) | -+--------------------------------------+------------------------------------------------+ -| ``ActiveDirectoryManagedIdentity`` | Azure VM / App Service / AKS — no credentials | -+--------------------------------------+------------------------------------------------+ -| ``ActiveDirectoryDefault`` | Developer laptop: ``az login`` fallback chain | -+--------------------------------------+------------------------------------------------+ -| ``ActiveDirectoryAzCli`` | Developer laptop: explicit ``az login`` token | -+--------------------------------------+------------------------------------------------+ -| ``ActiveDirectoryWorkloadIdentity`` | Kubernetes OIDC workload identity | -+--------------------------------------+------------------------------------------------+ -| ``ActiveDirectoryPassword`` | **Deprecated** — blocked by MFA enforcement | -+--------------------------------------+------------------------------------------------+ ++--------------------------------------------+------------------------------------------------+ +| Mode | Typical use case | ++============================================+================================================+ +| ``ActiveDirectoryServicePrincipal`` | CI/CD — app registration (client ID + secret) | ++--------------------------------------------+------------------------------------------------+ +| ``ActiveDirectoryServicePrincipalCertif.`` | CI/CD — app registration with certificate | ++--------------------------------------------+------------------------------------------------+ +| ``ActiveDirectoryManagedIdentity`` | Azure VM / App Service / AKS — no credentials | ++--------------------------------------------+------------------------------------------------+ +| ``ActiveDirectoryDefault`` | Developer laptop: ``az login`` fallback chain | ++--------------------------------------------+------------------------------------------------+ +| ``ActiveDirectoryIntegrated`` | Windows / Kerberos domain-joined machine | ++--------------------------------------------+------------------------------------------------+ +| ``ActiveDirectoryPassword`` | **Deprecated** — blocked by MFA enforcement | ++--------------------------------------------+------------------------------------------------+ ``ActiveDirectoryServicePrincipal`` Authenticate as an Azure AD application (client ID + client secret) — @@ -402,19 +402,12 @@ authentication=ActiveDirectoryDefault;encrypt=true;trustServerCertificate=false" get-access-token`` using your existing ``az login`` session — no browser popup is needed. -``ActiveDirectoryAzCli`` - Like ``ActiveDirectoryDefault`` but always uses the Azure CLI token - exclusively. Useful when you want a predictable, unambiguous credential - source on a developer machine:: +``ActiveDirectoryIntegrated`` + Authenticate via Kerberos on a domain-joined machine. Requires a valid + Kerberos ticket (``kinit`` on Linux/macOS, automatic on Windows):: FROM "jdbc:sqlserver://myserver.database.windows.net:1433;databaseName=mydb;\ -authentication=ActiveDirectoryAzCli;encrypt=true;trustServerCertificate=false" - -``ActiveDirectoryWorkloadIdentity`` - For Kubernetes pods with OIDC workload identity federation:: - - FROM "jdbc:sqlserver://myserver.database.windows.net:1433;databaseName=mydb;\ -authentication=ActiveDirectoryWorkloadIdentity;encrypt=true" +authentication=ActiveDirectoryIntegrated;encrypt=true" ``ActiveDirectoryPassword`` .. note::