Updated support for synapse role assignment and Added support for rol…

…e scope (#14172) * fixing compliationerror * getroleassignment * refine parametersetname * add scope to newroleassignment * add list scope command * refine new-azuresynapseroleassignment * add Itemtype and Item * refine newAzureSynapseRoleAssignment * remove unnecessary feeds * refine deleteroleassignmentid * refine resourceid name * improve remove and getroleassignments * itemtype and item improvement * Fix a few issues * Correct exception types * add principle type * add principaltype * caseinsent * update changelog * add doc for get-azsyanpserolescope * remove powershlles * update help doc * add objectid back * update Az.Synapse.md * update auto generated mdfiles * update changelog * update changelog2 * update changelog3 * update changelog4 * update changelog5 * update changelog6 * update changelog7 * Update src/Synapse/Synapse/ChangeLog.md Co-authored-by: Beisi Zhou <[email protected]> Co-authored-by: Dongwei Wang <[email protected]> Co-authored-by: Beisi Zhou <[email protected]>
Azure · Apr 8, 2021 · 1793624 · 1793624
1 parent 301e81f
commit 1793624
Show file tree

Hide file tree

Showing 20 changed files with 737 additions and 90 deletions.
diff --git a/src/Synapse/Synapse/Az.Synapse.psd1 b/src/Synapse/Synapse/Az.Synapse.psd1
@@ -123,7 +123,7 @@ CmdletsToExport = 'Get-AzSynapseSparkJob', 'Stop-AzSynapseSparkJob',
                'Remove-AzSynapseFirewallRule', 'Get-AzSynapseFirewallRule', 
                'Update-AzSynapseFirewallRule', 'Get-AzSynapseRoleAssignment', 
                'New-AzSynapseRoleAssignment', 'Remove-AzSynapseRoleAssignment', 
-               'Get-AzSynapseRoleDefinition', 'Get-AzSynapseSqlDatabase', 
+               'Get-AzSynapseRoleDefinition', 'Get-AzSynapseRoleScope', 'Get-AzSynapseSqlDatabase', 
                'New-AzSynapseSqlDatabase', 'Remove-AzSynapseSqlDatabase', 
                'Update-AzSynapseSqlDatabase', 'Test-AzSynapseSqlDatabase', 
                'Disable-AzSynapseSqlPoolSensitivityRecommendation', 

diff --git a/src/Synapse/Synapse/ChangeLog.md b/src/Synapse/Synapse/ChangeLog.md
@@ -18,6 +18,12 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Add support for Synapse Role-based access control
+   - Upgraded Azure.Analytics.Synapse.AccessControl to 1.0.0-preview.3
+   - Updated `New-AzSynapseRoleAssignment` cmdlet
+   - Updated `Get-AzSynapseRoleAssignment` cmdlet
+   - Updated `Remove-AzSynapseRoleAssignment` cmdlet
+   - Added `Get-AzSynapseRoleScope` cmdlet
 * Renamed -AllowAllAzureIP to -AllowAllAzureIp and changed IP range to 0.0.0.0-0.0.0.0 
 * Added -AllowAllIp and set IP range to 0.0.0.0-255.255.255.255
 * Fixed the issue of retrieving Apache Spark pool information through management API

diff --git a/...Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/GetAzureSynapseRoleAssignment.cs b/...Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/GetAzureSynapseRoleAssignment.cs
@@ -1,13 +1,11 @@
-using Azure.Analytics.Synapse.AccessControl;
-using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
 using Microsoft.Azure.Commands.Synapse.Common;
 using Microsoft.Azure.Commands.Synapse.Models;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
-using System;
-using System.Collections.Generic;
 using System.Linq;
 using System.Management.Automation;
-using System.Text;
+using System.Text.RegularExpressions;
+using static Microsoft.Azure.Commands.Synapse.Models.SynapseConstants;
 
 namespace Microsoft.Azure.Commands.Synapse
 {
@@ -110,6 +108,44 @@ public class GetAzureSynapseRoleAssignment : SynapseRoleCmdletBase
         [ValidateNotNullOrEmpty]
         public string ObjectId { get; set; }
 
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndIdParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndRoleDefinitionIdAndObjectIdParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndServicePrincipalNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndIdParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndRoleDefinitionIdAndObjectIdParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndServicePrincipalNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [ValidateNotNullOrEmpty]
+        public WorkspaceItemType ItemType { get; set; }
+
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndIdParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndRoleDefinitionIdAndObjectIdParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndServicePrincipalNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndIdParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndRoleDefinitionIdAndObjectIdParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndServicePrincipalNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [ValidateNotNullOrEmpty]
+        public string Item { get; set; }
+
         public override void ExecuteCmdlet()
         {
             if (this.IsParameterBound(c => c.WorkspaceObject))
@@ -132,22 +168,39 @@ public override void ExecuteCmdlet()
                 this.ObjectId = SynapseAnalyticsClient.GetObjectIdFromServicePrincipalName(this.ServicePrincipalName);
             }
 
+            string itemType = null;
+            if (this.IsParameterBound(c => c.ItemType))
+            {
+                itemType = this.ItemType.GetItemTypeString();
+            }
+
             if (this.IsParameterBound(c => c.RoleAssignmentId))
             {
                 WriteObject(new PSRoleAssignmentDetails(SynapseAnalyticsClient.GetRoleAssignmentById(this.RoleAssignmentId)));
             }
             else
             {
-                var roleAssignment = SynapseAnalyticsClient.ListRoleAssignments(this.RoleDefinitionId, this.ObjectId)
-                .Select(element => new PSRoleAssignmentDetails(element));
+                var roleAssignments = SynapseAnalyticsClient.ListRoleAssignments(this.RoleDefinitionId, this.ObjectId).Select(element => new PSRoleAssignmentDetails(element));
+                string allowedScopePattern = null;
+                if (this.IsParameterBound(c => c.ItemType) && this.IsParameterBound(c => c.Item))
+                {
+                    allowedScopePattern = $"(^workspaces/{this.WorkspaceName}$)|(^workspaces/{this.WorkspaceName}/{itemType}/{this.Item}$)";
+                }
+                else if (this.IsParameterBound(c => c.ItemType) && !this.IsParameterBound(c => c.Item))
+                {
+                    allowedScopePattern = $"(^workspaces/{this.WorkspaceName}$)|(^workspaces/{this.WorkspaceName}/{itemType}/[^/]+$)";
+                }
+                else if (!this.IsParameterBound(c => c.ItemType) && this.IsParameterBound(c => c.Item))
+                {
+                    allowedScopePattern = $"(^workspaces/{this.WorkspaceName}$)|(^workspaces/{this.WorkspaceName}/[^/]+/{this.Item}$)";
+                }
 
-                // TODO: Currently, when only `ObjectId` is specified, the cmdlet returns incorrect result. Filter from client side as a workaround
-                if (!string.IsNullOrEmpty(this.ObjectId))
+                if (!string.IsNullOrEmpty(allowedScopePattern))
                 {
-                    roleAssignment = roleAssignment.Where(element => element.ObjectId == this.ObjectId);
+                    roleAssignments = roleAssignments.Where(ra => ra.Scope == null || Regex.IsMatch(ra.Scope, allowedScopePattern, RegexOptions.IgnoreCase));
                 }
 
-                WriteObject(roleAssignment, true);
+                WriteObject(roleAssignments, true);
             }
         }
     }

diff --git a/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/GetAzureSynapseRoleScope.cs b/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/GetAzureSynapseRoleScope.cs
@@ -0,0 +1,57 @@
+using Microsoft.Azure.Commands.Common.Exceptions;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Commands.Synapse.Common;
+using Microsoft.Azure.Commands.Synapse.Models;
+using Microsoft.Azure.Commands.Synapse.Properties;
+using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using System;
+using System.Linq;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.Synapse
+{
+    [Cmdlet(VerbsCommon.Get, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + SynapseConstants.SynapsePrefix + SynapseConstants.RoleScope,
+        DefaultParameterSetName = GetByWorkspaceNameParameterSet)]
+    [OutputType(typeof(PSSynapseRole))]
+    public class GetAzureSynapseRoleScope : SynapseRoleCmdletBase
+    {
+        private const string GetByWorkspaceNameParameterSet = "GetByWorkspaceNameParameterSet";
+        private const string GetByWorkspaceObjectParameterSet = "GetByWorkspaceObjectParameterSet";
+
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameParameterSet,
+            Mandatory = true, HelpMessage = HelpMessages.WorkspaceName)]
+        [ResourceNameCompleter(ResourceTypes.Workspace, "ResourceGroupName")]
+        [ValidateNotNullOrEmpty]
+        public override string WorkspaceName { get; set; }
+
+        [Parameter(ValueFromPipeline = true, ParameterSetName = GetByWorkspaceObjectParameterSet,
+            Mandatory = true, HelpMessage = HelpMessages.WorkspaceObject)]
+        [ValidateNotNull]
+        public PSSynapseWorkspace WorkspaceObject { get; set; }
+
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceResourceId)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceResourceId)]
+        [ValidateNotNullOrEmpty]
+        public string ResourceId { get; set; }
+
+        public override void ExecuteCmdlet()
+        {
+            if (this.IsParameterBound(c => c.ResourceId))
+            {
+                var resourceIdentifier = new ResourceIdentifier(this.ResourceId);
+                this.WorkspaceName = resourceIdentifier.ResourceName;
+            }
+
+            if (this.IsParameterBound(c => c.WorkspaceObject))
+            {
+                this.WorkspaceName = this.WorkspaceObject.Name;
+            }
+
+            var roleScopes = SynapseAnalyticsClient.ListRoleScopes();
+            WriteObject(roleScopes, true);
+        }
+    }
+}
diff --git a/...Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/NewAzureSynapseRoleAssignment.cs b/...Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/NewAzureSynapseRoleAssignment.cs
@@ -1,13 +1,12 @@
-using Azure.Analytics.Synapse.AccessControl.Models;
+using Microsoft.Azure.Commands.Common.Exceptions;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
 using Microsoft.Azure.Commands.Synapse.Common;
 using Microsoft.Azure.Commands.Synapse.Models;
 using Microsoft.Azure.Commands.Synapse.Properties;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
 using System;
-using System.Collections.Generic;
 using System.Management.Automation;
-using System.Text;
+using static Microsoft.Azure.Commands.Synapse.Models.SynapseConstants;
 
 namespace Microsoft.Azure.Commands.Synapse
 {
@@ -97,6 +96,20 @@ public class NewAzureSynapseRoleAssignment : SynapseRoleCmdletBase
         [ValidateNotNullOrEmpty]
         public string ObjectId { get; set; }
 
+        // Compared with Remove-AzSynapseRoleAssignment and Get-AzSynapseRoleAssignment, no need to specify roleAssignment, it is created as
+        // random uuid. Hence unnecessary to specify the ParameterSetName
+        [Parameter(ValueFromPipelineByPropertyName = false, Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [ValidateNotNullOrEmpty]
+        public WorkspaceItemType ItemType { get; set; }
+
+        [Parameter(ValueFromPipelineByPropertyName = false, Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [ValidateNotNullOrEmpty]
+        public string Item { get; set; }
+
+        [Parameter(ValueFromPipelineByPropertyName = false, Mandatory = false, HelpMessage = HelpMessages.WorkspacePrincipalType)]
+        [ValidateNotNullOrEmpty]
+        public PrincipalType PrincipalType { get; set; }
+
         [Parameter(Mandatory = false, HelpMessage = HelpMessages.AsJob)]
         public SwitchParameter AsJob { get; set; }
 
@@ -122,9 +135,30 @@ public override void ExecuteCmdlet()
                 this.ObjectId = SynapseAnalyticsClient.GetObjectIdFromServicePrincipalName(this.ServicePrincipalName);
             }
 
+            string itemType = null;
+            if (this.IsParameterBound(c => c.ItemType))
+            {
+                itemType = this.ItemType.GetItemTypeString();
+            }
+
+            string principalType = null;
+            if (this.IsParameterBound(c => c.PrincipalType))
+            {
+                principalType = this.PrincipalType.GetPrincipalTypeString();
+            }
+
             if (this.ShouldProcess(this.WorkspaceName, String.Format(Resources.CreatingSynapseRoleAssignment, this.WorkspaceName, this.RoleDefinitionId, this.ObjectId)))
             {
-                PSRoleAssignmentDetails roleAssignmentDetails = new PSRoleAssignmentDetails(SynapseAnalyticsClient.CreateRoleAssignment(this.RoleDefinitionId, this.ObjectId));
+                // Item type and item should appear Report error if either item type or item is specified.
+                if ((!this.IsParameterBound(c => c.ItemType) && this.IsParameterBound(c => c.Item)) ||
+                    (this.IsParameterBound(c => c.ItemType) && !this.IsParameterBound(c => c.Item)))
+                {
+                    throw new AzPSInvalidOperationException(String.Format(Resources.WorkspaceItemTypeAndItemNotAppearTogether));
+                }
+
+                string roleAssignmentId = Guid.NewGuid().ToString();
+                string scope = SynapseAnalyticsClient.GetRoleAssignmentScope(this.WorkspaceName, itemType, this.Item);
+                PSRoleAssignmentDetails roleAssignmentDetails = new PSRoleAssignmentDetails(SynapseAnalyticsClient.CreateRoleAssignment(roleAssignmentId, this.RoleDefinitionId, this.ObjectId, scope, principalType));
                 WriteObject(roleAssignmentDetails);
             }
         }