Summary
This article suggests methods to troubleshoot access issues with Azure Active Directory.
Overview
When working with Azure Active Directory (ADD), you can go through the following series of checks/questions in order to ascertain what is or is not working with group membership. Recall that in Dremio, we roles correspond to groups (the terms are more or less synonymous).
Relevant Versions Tools and Integrations
These steps are applicable to any version of Dremio where AAD is configured as the SSO provider.
Steps to Resolve
- Can the affected user(s) login?
- Does the username in AAD match the username in Dremio?
- Is that user shown in the "User Management" → "Users" UI?
- Is the account type shown as "External"?
- Are the users explicit AAD groups listed under of roles they belong to in their "User Management" → "Users" entry?
- Do the explicit AAD groups appear in the list of "User Management" → "Roles"?
- Note that the groups show here are those that have been granted privileges on objects in the Dremio catalog.
- Note that external users will NOT appear in the Members tab for that role
- Are implicit (i.e. nested) groups listed under "User Management" → "Roles"
- If so, can they see all sources as expected?
- If not, which sources are affected, ie only ADLS sources?
- Is the user able to successfully execute the following call against their own groups?
SELECT IS_MEMBER('group')
- Are they able to do the same for nested groups?
- If possible test for multiple layers of abstraction
- Are the users grants for internal Dremio roles working as expected?
- Querying sys.roles, are all roles owned by "$dremio$"?
Note that sys.membership does NOT track external memberships, only the membership you have added in Dremio. Also, note that the dremio-admin repair-acls utility does NOT work for external groups.
When troubleshooting, you should enable debug for all AAD classes:
<logger name="com.dremio.extusr.azuread" level="debug" />
<logger name="com.dremio.extusr.oauth" level="debug" />
With debug enabled, when Dremio queries an AAD group not present in the cache, you should see a request like the following:
2023-09-12 15:50:44,773 [qtp1204874843-2485] DEBUG c.d.extusr.azuread.AzureGraphClient - Completing a GET to [https://graph.microsoft.com/v1.0/users/myUser@dremio.com/transitiveMemberOf] took 153 ms with response code 200
This is indicative of a successful request to the AAD API.