[Synapse] Add accesscontrol feature related commands based on track2 …

…sdk (#14834)
Azure · Aug 21, 2020 · 28e0cae · 28e0cae
1 parent daa9d5d
commit 28e0cae
Show file tree

Hide file tree

Showing 14 changed files with 1,372 additions and 111 deletions.
diff --git a/azure-cli2017.pyproj b/azure-cli2017.pyproj
@@ -931,16 +931,18 @@
     <Compile Include="azure-cli\azure\cli\command_modules\storage\_transformers.py" />
     <Compile Include="azure-cli\azure\cli\command_modules\storage\_validators.py" />
     <Compile Include="azure-cli\azure\cli\command_modules\storage\__init__.py" />
-    <Compile Include="azure-cli\azure\cli\command_modules\synapse\operations\spark.py">
+    <Compile Include="azure-cli\azure\cli\command_modules\synapse\operations\spark.py" />
     <Compile Include="azure-cli\azure\cli\command_modules\synapse\operations\__init__.py" />
-    <Compile Include="azure-cli\azure\cli\command_modules\synapse\util.py">
+    <Compile Include="azure-cli\azure\cli\command_modules\synapse\util.py" />
+    <Compile Include="azure-cli\azure\cli\command_modules\synapse\_completers.py" />
     <Compile Include="azure-cli\azure\cli\command_modules\synapse\_client_factory.py" />
     <Compile Include="azure-cli\azure\cli\command_modules\synapse\_help.py" />
     <Compile Include="azure-cli\azure\cli\command_modules\synapse\_params.py" />
     <Compile Include="azure-cli\azure\cli\command_modules\synapse\_validators.py" />
     <Compile Include="azure-cli\azure\cli\command_modules\synapse\__init__.py" />
     <Compile Include="azure-cli\azure\cli\command_modules\synapse\commands.py" />
     <Compile Include="azure-cli\azure\cli\command_modules\synapse\constant.py" />
+    <Compile Include="azure-cli\azure\cli\command_modules\synapse\operations\accesscontrol.py" />
     <Compile Include="azure-cli\azure\cli\command_modules\synapse\operations\sparkpool.py" />
     <Compile Include="azure-cli\azure\cli\command_modules\synapse\operations\workspace.py" />
     <Compile Include="azure-cli\azure\cli\command_modules\synapse\operations\sqlpool.py" />
@@ -1200,6 +1202,7 @@
     <Folder Include="azure-cli\azure\cli\command_modules\synapse\operations\" />
     <Folder Include="azure-cli\azure\cli\command_modules\synapse\tests\" />
     <Folder Include="azure-cli\azure\cli\command_modules\synapse\tests\latest\" />
+    <Folder Include="azure-cli\azure\cli\command_modules\synapse\tests\latest\recordings\" />
     <Folder Include="azure-cli\azure\cli\command_modules\vm\" />
     <Folder Include="azure-cli\azure\cli\command_modules\vm\tests\" />
     <Folder Include="azure-cli\azure\cli\command_modules\vm\tests\latest\" />

diff --git a/src/azure-cli/azure/cli/command_modules/synapse/_client_factory.py b/src/azure-cli/azure/cli/command_modules/synapse/_client_factory.py
@@ -53,3 +53,32 @@ def cf_synapse_spark_batch(cli_ctx, workspace_name, sparkpool_name):
 
 def cf_synapse_spark_session(cli_ctx, workspace_name, sparkpool_name):
     return synapse_spark_factory(cli_ctx, workspace_name, sparkpool_name).spark_session
+
+
+def cf_synapse_client_accesscontrol_factory(cli_ctx, workspace_name):
+    from azure.synapse.accesscontrol import AccessControlClient
+    from azure.cli.core._profile import Profile
+    from azure.cli.core.commands.client_factory import get_subscription_id
+    subscription_id = get_subscription_id(cli_ctx)
+    profile = Profile(cli_ctx=cli_ctx)
+    cred, _, _ = profile.get_login_credentials(
+        resource=cli_ctx.cloud.endpoints.synapse_analytics_resource_id,
+        subscription_id=subscription_id
+    )
+    return AccessControlClient(
+        credential=cred,
+        endpoint='{}{}{}'.format("https://", workspace_name, cli_ctx.cloud.suffixes.synapse_analytics_endpoint)
+    )
+
+
+def cf_graph_client_factory(cli_ctx, **_):
+    from azure.cli.core._profile import Profile
+    from azure.cli.core.commands.client_factory import configure_common_settings
+    from azure.graphrbac import GraphRbacManagementClient
+    profile = Profile(cli_ctx=cli_ctx)
+    cred, _, tenant_id = profile.get_login_credentials(
+        resource=cli_ctx.cloud.endpoints.active_directory_graph_resource_id)
+    client = GraphRbacManagementClient(cred, tenant_id,
+                                       base_url=cli_ctx.cloud.endpoints.active_directory_graph_resource_id)
+    configure_common_settings(cli_ctx, client)
+    return client
diff --git a/src/azure-cli/azure/cli/command_modules/synapse/_completers.py b/src/azure-cli/azure/cli/command_modules/synapse/_completers.py
@@ -0,0 +1,15 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+from azure.cli.core.decorators import Completer
+from azure.cli.command_modules.synapse.operations.accesscontrol import list_role_definitions
+
+
+@Completer
+def get_role_definition_name_completion_list(cmd, prefix, namespace, **kwargs):  # pylint: disable=unused-argument
+    if namespace.workspace_name:
+        definitions = list_role_definitions(cmd, namespace.workspace_name)
+        return [x.name for x in definitions]
+    return []
diff --git a/src/azure-cli/azure/cli/command_modules/synapse/_help.py b/src/azure-cli/azure/cli/command_modules/synapse/_help.py
@@ -426,3 +426,116 @@
         az synapse spark statement cancel --livy-id 1 --session-id 11 --workspace-name testsynapseworkspace \\
         --spark-pool-name testsparkpool
 """
+
+helps['synapse role'] = """
+type: group
+short-summary: Manage Synapse's role assignments and definitions.
+"""
+
+helps['synapse role assignment'] = """
+type: group
+short-summary: Manage Synapse's role assignments.
+"""
+
+helps['synapse role assignment show'] = """
+type: command
+short-summary: Get a role assignment by id.
+examples:
+  - name: Get a role assignment by id.
+    text: |-
+        az synapse role assignment show --workspace-name testsynapseworkspace \\
+        --id 00000000-0000-0000-0000-000000000000
+"""
+
+helps['synapse role assignment list'] = """
+type: command
+short-summary: List role assignments.
+examples:
+  - name: List role assignments.
+    text: |-
+        az synapse role assignment list --workspace-name testsynapseworkspace
+  - name: List role assignments by role id/name.
+    text: |-
+        az synapse role assignment list --workspace-name testsynapseworkspace \\
+        --role "Sql Admin"
+  - name: List role assignments by assignee.
+    text: |-
+        az synapse role assignment list --workspace-name testsynapseworkspace \\
+        --assignee sp_name
+  - name: List role assignments by objectId of the User, Group or Service Principal.
+    text: |-
+        az synapse role assignment list --workspace-name testsynapseworkspace \\
+        --assignee 00000000-0000-0000-0000-000000000000
+"""
+
+helps['synapse role assignment create'] = """
+type: command
+short-summary: Create a role assignment.
+examples:
+  - name: Create a role assignment using service principal name.
+    text: |-
+        az synapse role assignment create --workspace-name testsynapseworkspace \\
+        --role "Sql Admin" --assignee sp_name
+  - name: Create a role assignment using user principal name.
+    text: |-
+        az synapse role assignment create --workspace-name testsynapseworkspace \\
+        --role "Sql Admin" --assignee [email protected]
+  - name: Create a role assignment using objectId of the User, Group or Service Principal.
+    text: |-
+        az synapse role assignment create --workspace-name testsynapseworkspace \\
+        --role "Sql Admin" --assignee 00000000-0000-0000-0000-000000000000
+"""
+
+helps['synapse role assignment delete'] = """
+type: command
+short-summary: Delete role assignments of workspace.
+examples:
+  - name: Delete role assignments by role and assignee.
+    text: |-
+        az synapse role assignment delete --workspace-name testsynapseworkspace \\
+        --role "Sql Admin" --assignee sp_name
+  - name: Delete role assignments by role id/name.
+    text: |-
+        az synapse role assignment delete --workspace-name testsynapseworkspace \\
+        --role "Sql Admin"
+  - name: Delete role assignments by service principal name.
+    text: |-
+        az synapse role assignment delete --workspace-name testsynapseworkspace \\
+        --assignee sp_name
+  - name: Delete role assignments by user principal name.
+    text: |-
+        az synapse role assignment delete --workspace-name testsynapseworkspace \\
+        --assignee [email protected]
+  - name: Delete role assignments by objectId of the User, Group or Service Principal.
+    text: |-
+        az synapse role assignment delete --workspace-name testsynapseworkspace \\
+        --assignee 00000000-0000-0000-0000-000000000001
+  - name: Delete role assignments by ids.
+    text: |-
+        az synapse role assignment delete --workspace-name testsynapseworkspace \\
+        --ids 10000000-0000-0000-0000-10000000-10000000-0000-0000-0000-10000000
+"""
+
+helps['synapse role definition'] = """
+type: group
+short-summary:  Manage Synapse's role definitions.
+"""
+
+helps['synapse role definition list'] = """
+type: command
+short-summary: List role definitions.
+examples:
+  - name: List role definitions.
+    text: |-
+        az synapse role definition list --workspace-name testsynapseworkspace
+"""
+
+helps['synapse role definition show'] = """
+type: command
+short-summary: Get role definition by role id/name.
+examples:
+  - name: Get role definition by role id.
+    text: |-
+        az synapse role definition show --workspace-name testsynapseworkspace \\
+        --role 00000000-0000-0000-0000-000000000000
+"""
diff --git a/src/azure-cli/azure/cli/command_modules/synapse/_params.py b/src/azure-cli/azure/cli/command_modules/synapse/_params.py
@@ -3,12 +3,18 @@
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
 # pylint: disable=too-many-statements, line-too-long
+from knack.arguments import CLIArgumentType
 from argcomplete import FilesCompleter
-from azure.cli.core.commands.parameters import name_type, tags_type, get_three_state_flag, get_enum_type
+from azure.cli.core.commands.parameters import name_type, tags_type, get_three_state_flag, get_enum_type, get_resource_name_completion_list
 from azure.cli.core.util import get_json_object
 from ._validators import validate_storage_account, validate_statement_language
+from ._completers import get_role_definition_name_completion_list
 from .constant import SparkBatchLanguage, SparkStatementLanguage
 
+workspace_name_arg_type = CLIArgumentType(help='The workspace name.', completer=get_resource_name_completion_list('Microsoft.Synapse/workspaces'))
+assignee_arg_type = CLIArgumentType(help='Represent a user, group, or service principal. Supported format: object id, user sign-in name, or service principal name.')
+role_arg_type = CLIArgumentType(help='The role name/id that is assigned to the principal.', completer=get_role_definition_name_completion_list)
+
 
 def load_arguments(self, _):
     # synapse workspace
@@ -196,3 +202,27 @@ def load_arguments(self, _):
         c.argument('code', completer=FilesCompleter(),
                    help='The code of Spark statement. This is either the code contents or use `@<file path>` to load the content from a file')
         c.argument('language', arg_type=get_enum_type(SparkStatementLanguage), validator=validate_statement_language, help='The language of Spark statement.')
+
+    # synapse workspace access-control
+    for scope in ['create', 'list']:
+        with self.argument_context('synapse role assignment ' + scope) as c:
+            c.argument('workspace_name', arg_type=workspace_name_arg_type)
+            c.argument('role', arg_type=role_arg_type)
+            c.argument('assignee', arg_type=assignee_arg_type)
+
+    with self.argument_context('synapse role assignment show') as c:
+        c.argument('workspace_name', arg_type=workspace_name_arg_type)
+        c.argument('role_assignment_id', options_list=['--id'], help='Id of the role that is assigned to the principal.')
+
+    with self.argument_context('synapse role assignment delete') as c:
+        c.argument('workspace_name', arg_type=workspace_name_arg_type)
+        c.argument('role', arg_type=role_arg_type)
+        c.argument('assignee', arg_type=assignee_arg_type)
+        c.argument('ids', nargs='+', help='space-separated role assignment ids. You should not provide --role or --assignee when --ids is provided.')
+
+    with self.argument_context('synapse role definition show') as c:
+        c.argument('workspace_name', arg_type=workspace_name_arg_type)
+        c.argument('role', arg_type=role_arg_type)
+
+    with self.argument_context('synapse role definition list') as c:
+        c.argument('workspace_name', arg_type=workspace_name_arg_type)
diff --git a/src/azure-cli/azure/cli/command_modules/synapse/commands.py b/src/azure-cli/azure/cli/command_modules/synapse/commands.py
@@ -47,6 +47,10 @@ def get_custom_sdk(custom_module, client_factory):
         operations_tmpl='azure.synapse.spark.operations#SparkBatchOperations.{}',
         client_factory=None)
 
+    synapse_accesscontrol_sdk = CliCommandType(
+        operations_tmpl='azure.synapse.accesscontrol.operations#AccessControlClientOperationsMixin.{}',
+        client_factory=None)
+
     # Management Plane Commands --Workspace
     with self.command_group('synapse workspace', command_type=synapse_workspace_sdk,
                             custom_command_type=get_custom_sdk('workspace', cf_synapse_client_workspace_factory),
@@ -120,5 +124,18 @@ def get_custom_sdk(custom_module, client_factory):
         g.custom_show_command('show', 'get_spark_session_statement')
         g.custom_command('cancel', 'cancel_spark_session_statement', confirmation=True)
 
+    # Data Plane Commands --Access control operations
+    with self.command_group('synapse role assignment', synapse_accesscontrol_sdk,
+                            custom_command_type=get_custom_sdk('accesscontrol', None)) as g:
+        g.custom_command('create', 'create_role_assignment')
+        g.custom_command('list', 'list_role_assignments')
+        g.custom_show_command('show', 'get_role_assignment_by_id')
+        g.custom_command('delete', 'delete_role_assignment', confirmation=True)
+
+    with self.command_group('synapse role definition', synapse_accesscontrol_sdk,
+                            custom_command_type=get_custom_sdk('accesscontrol', None)) as g:
+        g.custom_command('list', 'list_role_definitions')
+        g.custom_show_command('show', 'get_role_definition')
+
     with self.command_group('synapse', is_preview=True):
         pass