Merge pull request #146 from deitch/setup-auth-options

Control admin vs runtime setup
microsoft · Feb 22, 2018 · b0f5a27 · b0f5a27
2 parents ec0f0d9 + 99a5576
commit b0f5a27
Showing 1 changed file with 99 additions and 35 deletions.
diff --git a/ReportingServicesTools/Functions/Admin/Set-RsDatabase.ps1 b/ReportingServicesTools/Functions/Admin/Set-RsDatabase.ps1
@@ -7,52 +7,69 @@ function Set-RsDatabase
     <#
         .SYNOPSIS
             This script configures the database settings used by SQL Server Reporting Services.
-        
+
         .DESCRIPTION
             This script configures SQL Server Reporting Services to either create and use a new RS database or use an existing RS database.
             You must be an admin in RS and SQL Server in order to perform this operation successfully.
-        
+            There are three phases to setup:
+            1. Create the PBIRS database on the database server
+            2. Grant the run-time user access to the PBIRS database - this user must exist before running this
+            3. Configure the PowerBI Report Server to use the database and run-time credentials
+            Your admin role on SQL Server can be one of:
+            * The account under which you run this powershell (default)
+            * A specific set of credentials for the SQL Server which has admin rights, specified via -AdminDatabaseCredential
+
         .PARAMETER ReportServerInstance
             Specify the name of the SQL Server Reporting Services Instance.
             Use the "Connect-RsReportServer" function to set/update a default value.
-        
+
         .PARAMETER ReportServerVersion
             Specify the version of the SQL Server Reporting Services Instance.
             Use the "Connect-RsReportServer" function to set/update a default value.
-        
+
         .PARAMETER ComputerName
             The Report Server to target.
             Use the "Connect-RsReportServer" function to set/update a default value.
-        
+
         .PARAMETER Credential
             Specify the credentials to use when connecting to the Report Server.
             Use the "Connect-RsReportServer" function to set/update a default value.
-        
+
         .PARAMETER DatabaseServerName
             Specify the database server name. (e.g. localhost, MyMachine\Sql2016, etc.)
-        
+
         .PARAMETER IsRemoteDatabaseServer
             Specify this switch if the database server is on a different machine than the machine Reporting Services is running on.
-        
+
         .PARAMETER Name
             Specify the name of the RS Database.
-        
+
         .PARAMETER IsExistingDatabase
-            Specify this switch if the database to use already exists.
-        
+            Specify this switch if the database to use already exists, and prevent creation of the database.
+
         .PARAMETER DatabaseCredentialType
-            Indicate what type of credentials to use when connecting to the database: Windows, SQL, or Service Account.
-        
+            Indicate what type of runtime credentials to use when connecting to the database: Windows, SQL, or Service Account.
+
         .PARAMETER DatabaseCredential
-            Specify the credentials to use when connecting to the SQL Server.
+            Specify the runtime credentials to use when connecting to the SQL Server.
+            This credential is used for *run-time* only. It is not used for initial database setup.
             Note: This parameter will be ignored whenever DatabaseCredentialType is set to Service Account!
-        
+
+        .PARAMETER AdminDatabaseCredentialType
+            Indicate what type of admin setup credentials to use when connecting to the database: Windows (current user running this powershell) or SQL.
+            Defaults to Windows.
+
+        .PARAMETER AdminDatabaseCredential
+            Specify the admin setup credentials to use when connecting to the SQL Server.
+            This credential is used for *setup* only; it is not used for PowerBI Report Server during runtime.
+            Note: This parameter will be ignored whenever AdminDatabaseCredentialType is set to Service Account!
+
         .EXAMPLE
             Set-RsDatabase -DatabaseServerName localhost -Name ReportServer -DatabaseCredentialType ServiceAccount
             Description
             -----------
             This command will create a new RS database (ReportServer) and configure Reporting Services to connect to it using Service Account credentials.
-        
+
         .EXAMPLE
             Set-RsDatabase -DatabaseServerName localhost -Name ExistingReportServer -IsExistingDatabase -DatabaseCredentialType Windows -DatabaseCredential $myCredentials
             Description
@@ -68,42 +85,49 @@ function Set-RsDatabase
 
         [switch]
         $IsRemoteDatabaseServer,
-        
+
         [Parameter(Mandatory = $True)]
         [Alias('DatabaseName')]
         [string]
         $Name,
 
         [switch]
         $IsExistingDatabase,
-        
+
         [Parameter(Mandatory = $true)]
         [Alias('Authentication')]
         [Microsoft.ReportingServicesTools.SqlServerAuthenticationType]
         $DatabaseCredentialType,
-        
+
         [System.Management.Automation.PSCredential]
         $DatabaseCredential,
-
+
+        [Parameter]
+        [Microsoft.ReportingServicesTools.SqlServerAuthenticationType]
+        $AdminDatabaseCredentialType,
+
+        [System.Management.Automation.PSCredential]
+        $AdminDatabaseCredential,
+
         [Alias('SqlServerInstance')]
         [string]
         $ReportServerInstance,
-        
+
         [Alias('SqlServerVersion')]
         [Microsoft.ReportingServicesTools.SqlServerVersion]
         $ReportServerVersion,
-        
+
         [string]
         $ComputerName,
-        
+
         [System.Management.Automation.PSCredential]
         $Credential
     )
-    
-    if ($PSCmdlet.ShouldProcess((Get-ShouldProcessTargetWmi -BoundParameters $PSBoundParameters), "Configure to use $DatabaseServerName as database, using $DatabaseCredentialType authentication"))
+
+    if ($PSCmdlet.ShouldProcess((Get-ShouldProcessTargetWmi -BoundParameters $PSBoundParameters), "Configure to use $DatabaseServerName as database, using $DatabaseCredentialType runtime authentication and $AdminDatabaseCredentialType setup authentication"))
     {
         $rsWmiObject = New-RsConfigurationSettingObjectHelper -BoundParameters $PSBoundParameters
-        
+
         #region Validating authentication and normalizing credentials
         $username = ''
         $password = $null
@@ -112,7 +136,7 @@ function Set-RsDatabase
             $username = $rsWmiObject.WindowsServiceIdentityActual
             $password = ''
         }
-        
+
         else
         {
             if ($DatabaseCredential -eq $null)
@@ -123,11 +147,37 @@ function Set-RsDatabase
             $password = $DatabaseCredential.GetNetworkCredential().Password
         }
         #endregion Validating authentication and normalizing credentials
-
+
+        #region Validating admin authentication and normalizing credentials
+        $adminUsername = ''
+        $adminPassword = $null
+
+        # default is Windows
+        $isSQLAdminAccount = ($AdminDatabaseCredentialType -like "SQL")
+
+        # we do not allow service account - only Windows and SQL
+        if ($AdminDatabaseCredentialType -like 'serviceaccount')
+        {
+            throw "Can only use Admin Database Credentials Type of 'Windows' or 'SQL'"
+        }
+
+        # must have credentials passed
+        if ($isSQLAdminAccount)
+        {
+            if ($AdminDatabaseCredential -eq $null)
+            {
+                throw "No Admin Database Credential specified! Admin Database credential must be specified when configuring $AdminDatabaseCredentialType authentication."
+            }
+            $adminUsername = $AdminDatabaseCredential.UserName
+            $adminPassword = $AdminDatabaseCredential.GetNetworkCredential().Password
+        }
+        #endregion Validating admin authentication and normalizing credentials
+
+
         #region Create Database if necessary
         if (-not $IsExistingDatabase)
         {
-            # Step 1 - Generate Database Script  
+            # Step 1 - Generate Database Script
             Write-Verbose "Generating database creation script..."
             $EnglishLocaleId = 1033
             $IsSharePointMode = $false
@@ -142,12 +192,19 @@ function Set-RsDatabase
                 $SQLScript = $result.Script
                 Write-Verbose "Generating database creation script... Complete!"
             }
-            
+
             # Step 2 - Run Database creation script
             Write-Verbose "Executing database creation script..."
             try
             {
-                Invoke-Sqlcmd -ServerInstance $DatabaseServerName -Query $SQLScript -ErrorAction Stop
+                if ($isSQLAdminAccount)
+                {
+                    Invoke-Sqlcmd -ServerInstance $DatabaseServerName -Query $SQLScript -ErrorAction Stop -Username $adminUsername -Password $adminPassword
+                }
+                else
+                {
+                    Invoke-Sqlcmd -ServerInstance $DatabaseServerName -Query $SQLScript -ErrorAction Stop
+                }
             }
             catch
             {
@@ -157,7 +214,7 @@ function Set-RsDatabase
             Write-Verbose "Executing database creation script... Complete!"
         }
         #endregion Create Database if necessary
-        
+
         #region Configuring Database rights
         # Step 3 - Generate database rights script
         Write-Verbose "Generating database rights script..."
@@ -173,12 +230,19 @@ function Set-RsDatabase
             $SQLscript = $result.Script
             Write-Verbose "Generating database rights script... Complete!"
         }
-        
+
         # Step 4 - Run Database rights script
         Write-Verbose "Executing database rights script..."
         try
         {
-            Invoke-Sqlcmd -ServerInstance $DatabaseServerName -Query $SQLscript -ErrorAction Stop
+            if ($isSQLAdminAccount)
+            {
+                Invoke-Sqlcmd -ServerInstance $DatabaseServerName -Query $SQLScript -ErrorAction Stop -Username $adminUsername -Password $adminPassword
+            }
+            else
+            {
+                Invoke-Sqlcmd -ServerInstance $DatabaseServerName -Query $SQLScript -ErrorAction Stop
+            }
         }
         catch
         {
@@ -187,7 +251,7 @@ function Set-RsDatabase
         }
         Write-Verbose "Executing database rights script... Complete!"
         #endregion Configuring Database rights
-        
+
         #region Update Reporting Services database configuration
         # Step 5 - Update Reporting Services to connect to new database now
         Write-Verbose "Updating Reporting Services to connect to new database..."