Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Role] az role assignment create/update: auto complete assignee_principal_type #17669

Merged
merged 11 commits into from
Apr 22, 2021
Merged

[Role] az role assignment create/update: auto complete assignee_principal_type #17669

merged 11 commits into from
Apr 22, 2021

Conversation

evelyn-ys
Copy link
Member

@evelyn-ys evelyn-ys commented Apr 13, 2021
edited
Loading

Description

Feature requested by #16006

  • When create role assignment, if assignee is provided without assignee_principal_type, try graph call to resolve object id and get object type

    • If graph call succeeds, resolve object_id and principal_type
    • If graph call fails, raise exception as before

  • When create role assignment, if assignee_object_id is provided without assignee_principal_type, try to get principle type from graph.

    • If graph call succeeds, set assignee_principal_type
    • If graph call fails, leave assignee_principal_type as None as before

  • When update role assignment, if principal_type is not provided, use the existing value of assignment.principal_type

Testing Guide

Graph call succeed:

> az role assignment create --role Reader --assignee-object-id "3707fb2f-ac10-4591-a04f-8b0d786ea37d"
{
  "canDelegate": null,
  "condition": null,
  "conditionVersion": null,
  "description": null,
  "id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/providers/Microsoft.Authorization/roleAssignments/88670ac0-08a0-40af-8cb3-cfecc39224a6",
  "name": "88670ac0-08a0-40af-8cb3-cfecc39224a6",
  "principalId": "27c363a5-7016-4ae0-8540-818ec05673f1",
  "principalName": "",
  "principalType": "ServicePrincipal",
  "roleDefinitionId": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "roleDefinitionName": "Reader",
  "scope": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590",
  "type": "Microsoft.Authorization/roleAssignments"
}

Graph call fail:

> az role assignment create --role Reader --assignee-object-id "3707fb2f-ac10-4591-a04f-8b0d786ea37d"
WARNING: Failed to query --assignee-principal-type for 3707fb2f-ac10-4591-a04f-8b0d786ea37d by invoking Graph API.
RBAC server might reject creating role assignment by --assignee-object-id without --assignee-principal-type in the future. Better to specify --assignee-principal-type manually.
ERROR: The client '7701a65c-cdfe-4722-8cd7-a5dc211d87e6' with object id '7701a65c-cdfe-4722-8cd7-a5dc211d87e6' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590' or the scope is invalid. If access was recently granted, please refresh your credentials.

This checklist is used to make sure that common guidelines for a pull request are followed.

@evelyn-ys evelyn-ys requested a review from jiasli April 13, 2021 10:41
@evelyn-ys evelyn-ys self-assigned this Apr 13, 2021
@yonzhan yonzhan added this to the S186 milestone Apr 13, 2021
@yonzhan
Copy link
Collaborator

yonzhan commented Apr 13, 2021

Role

@evelyn-ys evelyn-ys requested a review from jiasli April 14, 2021 09:22
@evelyn-ys evelyn-ys requested a review from jiasli April 19, 2021 10:15
@evelyn-ys evelyn-ys changed the title [Role] az role assignment create/update: auto complete assignee_principal_type if assignee_object_id is provided [Role] az role assignment create/update: auto complete assignee_principal_type Apr 19, 2021
@jiasli
Copy link
Member

jiasli commented Apr 20, 2021

Other references of _create_role_assignment should also be updated to provide assignee_principal_type, like

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Line 1482 in 5544a0f

_create_role_assignment(cmd.cli_ctx, role, sp_oid, None, scope, resolve_assignee=False)

@evelyn-ys evelyn-ys merged commit 0ee45c4 into Azure:dev Apr 22, 2021
This was referenced Aug 13, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fengzhou-msft fengzhou-msft fengzhou-msft approved these changes

@jiasli jiasli jiasli approved these changes

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

Assignees

@evelyn-ys evelyn-ys

Labels
None yet
Projects
None yet
Milestone
S186
Development

Successfully merging this pull request may close these issues.
4 participants
@evelyn-ys @yonzhan @jiasli @fengzhou-msft