You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/azure-data-studio/extensions/kusto-extension.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -119,7 +119,7 @@ The extensions settings look like this:
119
119
120
120
## SandDance visualization
121
121
122
-
The [SandDance extension](sanddance-extension.md) with the Kusto (KQL) extension in Azure Data Studio bring rich interactive visualization together. From the KQL query result set, select the **Visualizer** button to launch [SandDance](https://sanddance.js.org/).
122
+
The [SandDance extension](sanddance-extension.md) with the Kusto (KQL) extension in Azure Data Studio bring rich interactive visualization together. From the KQL query result set, select the **Visualizer** button to launch [SandDance](https://microsoft.github.io/SandDance/).
Copy file name to clipboardExpand all lines: docs/big-data-cluster/active-directory-deploy.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -129,7 +129,7 @@ For details on how to update the AD groups for these settings see [Manage Big Da
129
129
130
130
> [!NOTE]
131
131
> The `security.activeDirectory.enableAES` parameter is available starting with SQL Server Big Data Clusters CU13. If the big data cluster is a version prior to CU13, the following steps are required:
132
-
> 1. Run the `azdata bdc rotate -n <your-cluster-name>` command, this command will rotate the keytabs in the cluster which is necessary to ensure that the AES entries in keytabs are correct. For more information, see [azdata bdc](/sql/azdata/reference/reference-azdata-bdc). Additionally, `azdata bdc rotate` will rotate the passwords of the AD objects that were auto-generated during the initial deployment in the specified OU.
132
+
> 1. Run the `azdata bdc rotate -n <your-cluster-name>` command, this command will rotate the keytabs in the cluster which is necessary to ensure that the AES entries in keytabs are correct. For more information, see [azdata bdc](../azdata/reference/reference-azdata-bdc.md). Additionally, `azdata bdc rotate` will rotate the passwords of the AD objects that were auto-generated during the initial deployment in the specified OU.
133
133
> 2. Set the the following flags 'This account supports Kerberos AES 128 bit encryption' and 'This account supports Kerberos AES 256 bit encryption' on each of auto-generated AD objects in the OU that you provided during the initial big data cluster deployment. This can be achieved by executing the following PowerShell script `Get-ADUser -Filter * -SearchBase '<OU Path>' | Set-ADUser -replace @{ 'msDS-SupportedEncryptionTypes' = '24' }` on your domain controller which sets the AES fields on each account in the OU given in `<OU Path>` parameter.
Copy file name to clipboardExpand all lines: docs/big-data-cluster/distributed-data-copy-hdfs.md
+17Lines changed: 17 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,6 +45,23 @@ In this guide we will cover the following data copy scenarios:
45
45
46
46
Certificates are required to create a trusted relationship between source and destination clusters. These steps are required only once per source/destination cluster combination.
47
47
48
+
> [!IMPORTANT]
49
+
> If a SQL Server big data cluster with basic authentication (non-AD) is __upgraded to CU13__, the distcp functionality won't work.
50
+
>
51
+
> To enable the distcp functionality in this scenario execute the following additional steps once:
The required notebooks in the next steps are part of the Operational notebooks for [!INCLUDE[big-data-clusters-nover](../includes/ssbigdataclusters-ss-nover.md)]. For more information how to install and use the notebooks, see [Operational notebooks](cluster-manage-notebooks.md)
49
66
50
67
### Step 1 - Certificate creation and installation
Copy file name to clipboardExpand all lines: docs/big-data-cluster/release-notes-cumulative-update-13.md
+9-4Lines changed: 9 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ description: This article describes the SQL Server Big Data Clusters Cumulative
5
5
author: WilliamDAssafMSFT
6
6
ms.author: wiassaf
7
7
ms.reviewer: melqin,dacoelho
8
-
ms.date: 10/05/2021
8
+
ms.date: 10/06/2021
9
9
ms.topic: conceptual
10
10
ms.prod: sql
11
11
ms.technology: big-data-cluster
@@ -27,8 +27,12 @@ The following release notes apply to [!INCLUDE[big-data-clusters-2019](../includ
27
27
> [!CAUTION]
28
28
> Before upgrading make sure to review the [Spark 3 upgrade guide](spark-3-upgrade.md).
29
29
30
+
* Delta Lake 1.0.0 available out-of-the-box. Additional libraries doesn't need to be installed and loaded. Read more at [Delta Lake on SQL Server Big Data Clusters](package-management-delta-lake.md)
31
+
* Custom time zone configuration for all services. Read more at [How to configure big data clusters settings post deployment](configure-bdc-postdeployment.md#step-by-step-scenario-configure-timezone-on-)
30
32
*[Password rotation for big data cluster autogenerated Active Directory service accounts](active-directory-password-rotation.md)
31
-
*[New Advanced Encryption Standard (AES) optional parameter for the automatically generated AD accounts](active-directory-prerequisites.md)
33
+
*[New Advanced Encryption Standard (AES) optional parameter for the automatically generated AD accounts](active-directory-deploy.md)
34
+
35
+
For detailed SQL Server engine changes, check the [official SQL Server CU13 knowledge base article](https://support.microsoft.com/topic/kb5005679-cumulative-update-13-for-sql-server-2019-5c1be850-460a-4be4-a569-fe11f0adc535).
32
36
33
37
## Tested configurations for CU13
34
38
@@ -53,6 +57,7 @@ Reference Architecture White Papers for [!INCLUDE[big-data-clusters-nover](../in
53
57
*__R__: Microsoft R 3.5.2
54
58
*__Microsoft Spark Runtime 2021.1__
55
59
*__Spark__: 3.1.2
60
+
*__Delta Lake__: 1.0.0
56
61
*__Java__: Azul Zulu JRE 1.8.0_275
57
62
*__Scala__: 2.12
58
63
*__Python__: 3.8 (miniforge 4.9)
@@ -79,7 +84,7 @@ Reference Architecture White Papers for [!INCLUDE[big-data-clusters-nover](../in
Copy file name to clipboardExpand all lines: docs/connect/ado-net/sql/sqlclient-support-always-encrypted.md
+8-2Lines changed: 8 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -381,11 +381,11 @@ class Program
381
381
382
382
#### Column encryption key cache precedence
383
383
384
-
This section applies to version 3.0 and higher of the provider.
384
+
This section applies to version 3.0 and higher of the **Microsoft .NET Data Provider for SQL Server**.
385
385
386
386
The column encryption keys (CEK) decrypted by custom key store providers registered on a connection or command instance will not be cached by the **Microsoft .NET Data Provider for SQL Server**. Custom key store providers should implement their own CEK caching mechanism.
387
387
388
-
Starting with **v3.0.0**, the `Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider` has its own CEK caching implementation. When registered on a connection or command instance, CEKs decrypted by an instance of `Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider` will be cleared when that instance goes out of scope:
388
+
Starting with **v3.0.0** of the`Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider`, each instance of`Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider` has its own CEK caching implementation. When registered on a connection or command instance, CEKs decrypted by an instance of `Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider` will be cleared when that instance goes out of scope:
@@ -532,6 +532,12 @@ To reduce the number of calls to a column master key store to decrypt column enc
532
532
533
533
The cache entries are evicted after a configurable time-to-live interval for security reasons. The default time-to-live value is 2 hours. If you have stricter security requirements about how long column encryption keys can be cached in plaintext in the application, you can change it using the [SqlConnection.ColumnEncryptionKeyCacheTtl property](/dotnet/api/microsoft.data.sqlclient.sqlconnection.columnencryptionkeycachettl).
534
534
535
+
Custom key store providers registered using [SqlConnection.RegisterColumnEncryptionKeyStoreProvidersOnConnection](/dotnet/api/microsoft.data.sqlclient.sqlconnection.registercolumnencryptionkeystoreprovidersonconnection) and [SqlCommand.RegisterColumnEncryptionKeyStoreProvidersOnCommand](/dotnet/api/microsoft.data.sqlclient.sqlcommand.registercolumnencryptionkeystoreprovidersoncommand) won't have their decrypted column encryption keys cached by the **Microsoft .NET Data Provider for SQL Server**. Instead, custom key store providers must implement their own caching mechanism. `Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider`**v3.0.0** and higher comes with its own caching implementation.
536
+
537
+
To support scenarios where different users of the same application may execute multiple queries, custom key store providers can be mapped to a user and registered on a connection or command instance specific to that user. The following example shows how an instance of `Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider` can be reused across different `SqlCommand` objects for the same user. Its column encryption key cache will persist across multiple queries, reducing the number of round trips to the key store:
## Enabling extra protection for a compromised SQL Server
536
542
537
543
By default, the **Microsoft .NET Data Provider for SQL Server** relies on the database system (SQL Server or Azure SQL Database) to provide metadata about which columns in the database are encrypted and how. The encryption metadata enables the **Microsoft .NET Data Provider for SQL Server** to encrypt query parameters and decrypt query results without any input from the application, which greatly reduces the number of changes required in the application. However, if the SQL Server process gets compromised and an attacker tampers with the metadata SQL Server sends to the **Microsoft .NET Data Provider for SQL Server**, the attacker might be able to steal sensitive information. This section describes APIs that help provide an extra level of protection against this type of attack, at the price of reduced transparency.
Copy file name to clipboardExpand all lines: docs/database-engine/availability-groups/windows/create-or-configure-an-availability-group-listener-sql-server.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -62,8 +62,8 @@ manager: erikre
62
62
63
63
|Permissions|Link|
64
64
|-----------------|----------|
65
-
|The cluster name object (CNO) of WSFC cluster that is hosting the availability group must have **Create Computer objects** permission.<br /><br /> In Active Directory, a CNO by default does not have **Create Computer objects** permission explicitly and can create 10 virtual computer objects (VCOs). After 10 VCOs are created, the creation of additional VCOs will fail. You can avoid this by granting the permission explicitly to the WSFC cluster's CNO. Note that VCOs for availability groups that you have deleted are not automatically deleted in Active Directory and count against your 10 VCO default limit unless they are manually deleted.<br /><br /> Note: In some organizations, the security policy prohibits granting **Create Computer objects** permission to individual user accounts.|*Steps for configuring the account for the person who installs the cluster* in [Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory](https://technet.microsoft.com/library/cc731002\(WS.10\).aspx#BKMK_steps_installer)<br /><br /> *Steps for prestaging the cluster name account* in [Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory](https://technet.microsoft.com/library/cc731002\(WS.10\).aspx#BKMK_steps_precreating)|
66
-
|If your organization requires that you prestage the computer account for a listener virtual network name, you will need membership in the **Account Operator** group or your domain administrator's assistance.|*Steps for prestaging an account for a clustered service or application* in [Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory](https://technet.microsoft.com/library/cc731002\(WS.10\).aspx#BKMK_steps_precreating2).|
65
+
|The cluster name object (CNO) of WSFC cluster that is hosting the availability group must have **Create Computer objects** permission.<br /><br /> In Active Directory, a CNO by default does not have **Create Computer objects** permission explicitly and can create 10 virtual computer objects (VCOs). After 10 VCOs are created, the creation of additional VCOs will fail. You can avoid this by granting the permission explicitly to the WSFC cluster's CNO. Note that VCOs for availability groups that you have deleted are not automatically deleted in Active Directory and count against your 10 VCO default limit unless they are manually deleted.<br /><br /> Note: In some organizations, the security policy prohibits granting **Create Computer objects** permission to individual user accounts.|*Steps for configuring the account for the person who installs the cluster* in [Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory](/#BKMK_steps_installer)<br /><br /> *Steps for prestaging the cluster name account* in [Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory](/#BKMK_steps_precreating)|
66
+
|If your organization requires that you prestage the computer account for a listener virtual network name, you will need membership in the **Account Operator** group or your domain administrator's assistance.|*Steps for prestaging an account for a clustered service or application* in [Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory](/#BKMK_steps_precreating2).|
67
67
68
68
> [!TIP]
69
69
> Generally, it is simplest not to prestage the computer account for a listener virtual network name. If you can, let the account to be created and configured automatically when you run the WSFC High Availability wizard.
0 commit comments