CODEWITHSUNDEEP
pythonazureazure-data-explorer
Hazriq Ishak
Hazriq Ishak

Reputation: 335

How to properly authenticate Kusto using a Python client?

I'm trying to test a connection between my node and Azure Data Explorer (ADX/ Kusto). I'm thinking to create a table on Kusto using a python script.

Please be aware that I'm not very familiar with any of this, hence the detailed steps below.

I'm following this quickstart guide on Microsoft docs.

Generate application ID and key

Using App Registrations service:

  1. Create new registration (named kusto test): enter image description here

  2. Create a client secrets: enter image description here

Create Kusto DB

From the cluster, create a database from the UI (called kusto-test)

enter image description here

Authorization

On the ADX cluster > Access control (IAM) > Add role assignment. enter image description here

Python script

from azure.kusto.data.request import KustoClient, KustoConnectionStringBuilder
from azure.kusto.data.exceptions import KustoServiceError
from azure.kusto.data.helpers import dataframe_from_result_table

KUSTO_DATABASE = "kusto-test"
CLUSTER = "https://mynode.myregion.kusto.windows.net"

CLIENT_ID = "KUSTO_TEST_APP_ID" # From image above
CLIENT_SECRET = "KUSTO_TEST_PASS" # From image above

AUTHORITY_ID = "<insert here your tenant id>" #Got from https://login.windows.net/<YourDomain>/.well-known/openid-configuration/

KCSB_DATA = KustoConnectionStringBuilder.with_aad_application_key_authentication(
    CLUSTER, CLIENT_ID, CLIENT_SECRET, AUTHORITY_ID
)


KUSTO_CLIENT = KustoClient(KCSB_DATA)
CREATE_TABLE_COMMAND = ".create table StormEvents (StartTime: datetime, EndTime: datetime, EpisodeId: int, EventId: int, State: string, EventType: string, InjuriesDirect: int, InjuriesIndirect: int, DeathsDirect: int, DeathsIndirect: int, DamageProperty: int, DamageCrops: int, Source: string, BeginLocation: string, EndLocation: string, BeginLat: real, BeginLon: real, EndLat: real, EndLon: real, EpisodeNarrative: string, EventNarrative: string, StormSummary: dynamic)"

RESPONSE = KUSTO_CLIENT.execute_mgmt(KUSTO_DATABASE, CREATE_TABLE_COMMAND)

dataframe_from_result_table(RESPONSE.primary_results[0])

Expected:

Actual:

azure.kusto.data.exceptions.KustoServiceError: (KustoServiceError(...), [{u'error': {u'code': u'Forbidden', u'@permanent': True, u'@message': u"Principal '....' is not authorized to access database 'kusto-test'.", ...}, u'message': u'Caller is not authorized to perform this action', u'@type': u'Kusto.DataNode.Exceptions.UnauthorizedDatabaseAccessException'}}])

Upvotes: 3

Views: 8688

Answers (2)

Andre
Andre

Reputation: 141

Another solution which I like most is currently the connection with AZ Cli authentification:

from azure.kusto.data import KustoClient, KustoConnectionStringBuilder
kcsb = KustoConnectionStringBuilder.with_az_cli_authentication(KUSTO_URI)
client = KustoClient(kcsb)

Ready to rumble in 3 lines of code. If you have not signed in with your AD credentials it will prompt you to do so opening a web browser to sign you in. In my situation only software developers / data scientists need to access Kusto with python. They mostly have permissions which are already inherited through the resource group.

Upvotes: 1

Avnera
Avnera

Reputation: 7608

Adding an owner in the Azure portal "access control" only provides that entity with permission to manage the resource (also known as the 'control plane') and is not applicable to the permissions on the database itself (also known as the 'data plane').

To provide that application permission to operate in the data plane for example to run queries, create tables etc. you need to give it permission in the applicable database "Permissions" section:

database permission section

Upvotes: 6

Related Questions