diff --git a/src/Synapse/Synapse/Az.Synapse.psd1 b/src/Synapse/Synapse/Az.Synapse.psd1 index 2963933bc598..bb954ea2b25b 100644 --- a/src/Synapse/Synapse/Az.Synapse.psd1 +++ b/src/Synapse/Synapse/Az.Synapse.psd1 @@ -123,7 +123,7 @@ CmdletsToExport = 'Get-AzSynapseSparkJob', 'Stop-AzSynapseSparkJob', 'Remove-AzSynapseFirewallRule', 'Get-AzSynapseFirewallRule', 'Update-AzSynapseFirewallRule', 'Get-AzSynapseRoleAssignment', 'New-AzSynapseRoleAssignment', 'Remove-AzSynapseRoleAssignment', - 'Get-AzSynapseRoleDefinition', 'Get-AzSynapseSqlDatabase', + 'Get-AzSynapseRoleDefinition', 'Get-AzSynapseRoleScope', 'Get-AzSynapseSqlDatabase', 'New-AzSynapseSqlDatabase', 'Remove-AzSynapseSqlDatabase', 'Update-AzSynapseSqlDatabase', 'Test-AzSynapseSqlDatabase', 'Disable-AzSynapseSqlPoolSensitivityRecommendation', diff --git a/src/Synapse/Synapse/ChangeLog.md b/src/Synapse/Synapse/ChangeLog.md index ef9684ac3071..e9a8c50eb4d2 100644 --- a/src/Synapse/Synapse/ChangeLog.md +++ b/src/Synapse/Synapse/ChangeLog.md @@ -18,6 +18,12 @@ - Additional information about change #1 --> ## Upcoming Release +* Add support for Synapse Role-based access control + - Upgraded Azure.Analytics.Synapse.AccessControl to 1.0.0-preview.3 + - Updated `New-AzSynapseRoleAssignment` cmdlet + - Updated `Get-AzSynapseRoleAssignment` cmdlet + - Updated `Remove-AzSynapseRoleAssignment` cmdlet + - Added `Get-AzSynapseRoleScope` cmdlet * Renamed -AllowAllAzureIP to -AllowAllAzureIp and changed IP range to 0.0.0.0-0.0.0.0 * Added -AllowAllIp and set IP range to 0.0.0.0-255.255.255.255 * Fixed the issue of retrieving Apache Spark pool information through management API diff --git a/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/GetAzureSynapseRoleAssignment.cs b/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/GetAzureSynapseRoleAssignment.cs index 3d445890a1d5..3174daa7e7fb 100644 --- a/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/GetAzureSynapseRoleAssignment.cs +++ b/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/GetAzureSynapseRoleAssignment.cs @@ -1,13 +1,11 @@ -using Azure.Analytics.Synapse.AccessControl; -using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters; +using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters; using Microsoft.Azure.Commands.Synapse.Common; using Microsoft.Azure.Commands.Synapse.Models; using Microsoft.WindowsAzure.Commands.Utilities.Common; -using System; -using System.Collections.Generic; using System.Linq; using System.Management.Automation; -using System.Text; +using System.Text.RegularExpressions; +using static Microsoft.Azure.Commands.Synapse.Models.SynapseConstants; namespace Microsoft.Azure.Commands.Synapse { @@ -110,6 +108,44 @@ public class GetAzureSynapseRoleAssignment : SynapseRoleCmdletBase [ValidateNotNullOrEmpty] public string ObjectId { get; set; } + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndIdParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndRoleDefinitionIdAndObjectIdParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndServicePrincipalNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndIdParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndRoleDefinitionIdAndObjectIdParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndServicePrincipalNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [ValidateNotNullOrEmpty] + public WorkspaceItemType ItemType { get; set; } + + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndIdParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndRoleDefinitionIdAndObjectIdParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndServicePrincipalNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndIdParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndRoleDefinitionIdAndObjectIdParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndServicePrincipalNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [ValidateNotNullOrEmpty] + public string Item { get; set; } + public override void ExecuteCmdlet() { if (this.IsParameterBound(c => c.WorkspaceObject)) @@ -132,22 +168,39 @@ public override void ExecuteCmdlet() this.ObjectId = SynapseAnalyticsClient.GetObjectIdFromServicePrincipalName(this.ServicePrincipalName); } + string itemType = null; + if (this.IsParameterBound(c => c.ItemType)) + { + itemType = this.ItemType.GetItemTypeString(); + } + if (this.IsParameterBound(c => c.RoleAssignmentId)) { WriteObject(new PSRoleAssignmentDetails(SynapseAnalyticsClient.GetRoleAssignmentById(this.RoleAssignmentId))); } else { - var roleAssignment = SynapseAnalyticsClient.ListRoleAssignments(this.RoleDefinitionId, this.ObjectId) - .Select(element => new PSRoleAssignmentDetails(element)); + var roleAssignments = SynapseAnalyticsClient.ListRoleAssignments(this.RoleDefinitionId, this.ObjectId).Select(element => new PSRoleAssignmentDetails(element)); + string allowedScopePattern = null; + if (this.IsParameterBound(c => c.ItemType) && this.IsParameterBound(c => c.Item)) + { + allowedScopePattern = $"(^workspaces/{this.WorkspaceName}$)|(^workspaces/{this.WorkspaceName}/{itemType}/{this.Item}$)"; + } + else if (this.IsParameterBound(c => c.ItemType) && !this.IsParameterBound(c => c.Item)) + { + allowedScopePattern = $"(^workspaces/{this.WorkspaceName}$)|(^workspaces/{this.WorkspaceName}/{itemType}/[^/]+$)"; + } + else if (!this.IsParameterBound(c => c.ItemType) && this.IsParameterBound(c => c.Item)) + { + allowedScopePattern = $"(^workspaces/{this.WorkspaceName}$)|(^workspaces/{this.WorkspaceName}/[^/]+/{this.Item}$)"; + } - // TODO: Currently, when only `ObjectId` is specified, the cmdlet returns incorrect result. Filter from client side as a workaround - if (!string.IsNullOrEmpty(this.ObjectId)) + if (!string.IsNullOrEmpty(allowedScopePattern)) { - roleAssignment = roleAssignment.Where(element => element.ObjectId == this.ObjectId); + roleAssignments = roleAssignments.Where(ra => ra.Scope == null || Regex.IsMatch(ra.Scope, allowedScopePattern, RegexOptions.IgnoreCase)); } - WriteObject(roleAssignment, true); + WriteObject(roleAssignments, true); } } } diff --git a/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/GetAzureSynapseRoleScope.cs b/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/GetAzureSynapseRoleScope.cs new file mode 100644 index 000000000000..c2b6afdaa5be --- /dev/null +++ b/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/GetAzureSynapseRoleScope.cs @@ -0,0 +1,57 @@ +using Microsoft.Azure.Commands.Common.Exceptions; +using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters; +using Microsoft.Azure.Commands.Synapse.Common; +using Microsoft.Azure.Commands.Synapse.Models; +using Microsoft.Azure.Commands.Synapse.Properties; +using Microsoft.Azure.Management.Internal.Resources.Utilities.Models; +using Microsoft.WindowsAzure.Commands.Utilities.Common; +using System; +using System.Linq; +using System.Management.Automation; + +namespace Microsoft.Azure.Commands.Synapse +{ + [Cmdlet(VerbsCommon.Get, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + SynapseConstants.SynapsePrefix + SynapseConstants.RoleScope, + DefaultParameterSetName = GetByWorkspaceNameParameterSet)] + [OutputType(typeof(PSSynapseRole))] + public class GetAzureSynapseRoleScope : SynapseRoleCmdletBase + { + private const string GetByWorkspaceNameParameterSet = "GetByWorkspaceNameParameterSet"; + private const string GetByWorkspaceObjectParameterSet = "GetByWorkspaceObjectParameterSet"; + + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameParameterSet, + Mandatory = true, HelpMessage = HelpMessages.WorkspaceName)] + [ResourceNameCompleter(ResourceTypes.Workspace, "ResourceGroupName")] + [ValidateNotNullOrEmpty] + public override string WorkspaceName { get; set; } + + [Parameter(ValueFromPipeline = true, ParameterSetName = GetByWorkspaceObjectParameterSet, + Mandatory = true, HelpMessage = HelpMessages.WorkspaceObject)] + [ValidateNotNull] + public PSSynapseWorkspace WorkspaceObject { get; set; } + + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceResourceId)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceResourceId)] + [ValidateNotNullOrEmpty] + public string ResourceId { get; set; } + + public override void ExecuteCmdlet() + { + if (this.IsParameterBound(c => c.ResourceId)) + { + var resourceIdentifier = new ResourceIdentifier(this.ResourceId); + this.WorkspaceName = resourceIdentifier.ResourceName; + } + + if (this.IsParameterBound(c => c.WorkspaceObject)) + { + this.WorkspaceName = this.WorkspaceObject.Name; + } + + var roleScopes = SynapseAnalyticsClient.ListRoleScopes(); + WriteObject(roleScopes, true); + } + } +} diff --git a/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/NewAzureSynapseRoleAssignment.cs b/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/NewAzureSynapseRoleAssignment.cs index b24ee2508d5c..ba84d8f0a739 100644 --- a/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/NewAzureSynapseRoleAssignment.cs +++ b/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/NewAzureSynapseRoleAssignment.cs @@ -1,13 +1,12 @@ -using Azure.Analytics.Synapse.AccessControl.Models; +using Microsoft.Azure.Commands.Common.Exceptions; using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters; using Microsoft.Azure.Commands.Synapse.Common; using Microsoft.Azure.Commands.Synapse.Models; using Microsoft.Azure.Commands.Synapse.Properties; using Microsoft.WindowsAzure.Commands.Utilities.Common; using System; -using System.Collections.Generic; using System.Management.Automation; -using System.Text; +using static Microsoft.Azure.Commands.Synapse.Models.SynapseConstants; namespace Microsoft.Azure.Commands.Synapse { @@ -97,6 +96,20 @@ public class NewAzureSynapseRoleAssignment : SynapseRoleCmdletBase [ValidateNotNullOrEmpty] public string ObjectId { get; set; } + // Compared with Remove-AzSynapseRoleAssignment and Get-AzSynapseRoleAssignment, no need to specify roleAssignment, it is created as + // random uuid. Hence unnecessary to specify the ParameterSetName + [Parameter(ValueFromPipelineByPropertyName = false, Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [ValidateNotNullOrEmpty] + public WorkspaceItemType ItemType { get; set; } + + [Parameter(ValueFromPipelineByPropertyName = false, Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [ValidateNotNullOrEmpty] + public string Item { get; set; } + + [Parameter(ValueFromPipelineByPropertyName = false, Mandatory = false, HelpMessage = HelpMessages.WorkspacePrincipalType)] + [ValidateNotNullOrEmpty] + public PrincipalType PrincipalType { get; set; } + [Parameter(Mandatory = false, HelpMessage = HelpMessages.AsJob)] public SwitchParameter AsJob { get; set; } @@ -122,9 +135,30 @@ public override void ExecuteCmdlet() this.ObjectId = SynapseAnalyticsClient.GetObjectIdFromServicePrincipalName(this.ServicePrincipalName); } + string itemType = null; + if (this.IsParameterBound(c => c.ItemType)) + { + itemType = this.ItemType.GetItemTypeString(); + } + + string principalType = null; + if (this.IsParameterBound(c => c.PrincipalType)) + { + principalType = this.PrincipalType.GetPrincipalTypeString(); + } + if (this.ShouldProcess(this.WorkspaceName, String.Format(Resources.CreatingSynapseRoleAssignment, this.WorkspaceName, this.RoleDefinitionId, this.ObjectId))) { - PSRoleAssignmentDetails roleAssignmentDetails = new PSRoleAssignmentDetails(SynapseAnalyticsClient.CreateRoleAssignment(this.RoleDefinitionId, this.ObjectId)); + // Item type and item should appear Report error if either item type or item is specified. + if ((!this.IsParameterBound(c => c.ItemType) && this.IsParameterBound(c => c.Item)) || + (this.IsParameterBound(c => c.ItemType) && !this.IsParameterBound(c => c.Item))) + { + throw new AzPSInvalidOperationException(String.Format(Resources.WorkspaceItemTypeAndItemNotAppearTogether)); + } + + string roleAssignmentId = Guid.NewGuid().ToString(); + string scope = SynapseAnalyticsClient.GetRoleAssignmentScope(this.WorkspaceName, itemType, this.Item); + PSRoleAssignmentDetails roleAssignmentDetails = new PSRoleAssignmentDetails(SynapseAnalyticsClient.CreateRoleAssignment(roleAssignmentId, this.RoleDefinitionId, this.ObjectId, scope, principalType)); WriteObject(roleAssignmentDetails); } } diff --git a/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/RemoveAzureSynapseRoleAssignment.cs b/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/RemoveAzureSynapseRoleAssignment.cs index 0c14063f5e3e..5cf3e1e78926 100644 --- a/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/RemoveAzureSynapseRoleAssignment.cs +++ b/src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/RemoveAzureSynapseRoleAssignment.cs @@ -1,12 +1,12 @@ -using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters; +using Microsoft.Azure.Commands.Common.Exceptions; +using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters; using Microsoft.Azure.Commands.Synapse.Common; using Microsoft.Azure.Commands.Synapse.Models; using Microsoft.Azure.Commands.Synapse.Properties; using Microsoft.WindowsAzure.Commands.Utilities.Common; using System; -using System.Collections.Generic; using System.Management.Automation; -using System.Text; +using static Microsoft.Azure.Commands.Synapse.Models.SynapseConstants; namespace Microsoft.Azure.Commands.Synapse { @@ -109,6 +109,44 @@ public class RemoveAzureSynapseRoleAssignment : SynapseRoleCmdletBase [ValidateNotNullOrEmpty] public string ObjectId { get; set; } + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = RemoveByWorkspaceNameAndSignInNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = RemoveByWorkspaceNameAndObjectIdParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = RemoveByWorkspaceNameAndRoleDefinitionIdParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = RemoveByWorkspaceNameAndServicePrincipalNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = RemoveByWorkspaceObjectAndSignInNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = RemoveByWorkspaceObjectAndObjectIdParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = RemoveByWorkspaceObjectAndRoleDefinitionIdParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = RemoveByWorkspaceObjectAndServicePrincipalNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)] + [ValidateNotNullOrEmpty] + public WorkspaceItemType ItemType { get; set; } + + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = RemoveByWorkspaceNameAndSignInNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = RemoveByWorkspaceNameAndObjectIdParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = RemoveByWorkspaceNameAndRoleDefinitionIdParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = RemoveByWorkspaceNameAndServicePrincipalNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = RemoveByWorkspaceObjectAndSignInNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = RemoveByWorkspaceObjectAndObjectIdParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = RemoveByWorkspaceObjectAndRoleDefinitionIdParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = RemoveByWorkspaceObjectAndServicePrincipalNameParameterSet, + Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)] + [ValidateNotNullOrEmpty] + public string Item { get; set; } + [Parameter(Mandatory = false, HelpMessage = HelpMessages.PassThru)] public SwitchParameter PassThru { get; set; } @@ -150,9 +188,23 @@ public override void ExecuteCmdlet() this.ObjectId = SynapseAnalyticsClient.GetObjectIdFromServicePrincipalName(this.ServicePrincipalName); } + string itemType = null; + if (this.IsParameterBound(c => c.ItemType)) + { + itemType = this.ItemType.GetItemTypeString(); + } + if (this.ShouldProcess(this.WorkspaceName, String.Format(Resources.RemovingSynapseRoleAssignment, this.RoleDefinitionId, this.ObjectId, this.WorkspaceName))) { - SynapseAnalyticsClient.DeleteRoleAssignmentByName(this.RoleDefinitionId, this.ObjectId); + // Item type and item should appear Report error if either item type or item is specified. + if ((!this.IsParameterBound(c => c.ItemType) && this.IsParameterBound(c => c.Item)) || + (this.IsParameterBound(c => c.ItemType) && !this.IsParameterBound(c => c.Item))) + { + throw new AzPSInvalidOperationException(String.Format(Resources.WorkspaceItemTypeAndItemNotAppearTogether)); + } + + string scope = SynapseAnalyticsClient.GetRoleAssignmentScope(this.WorkspaceName, itemType, this.Item); + SynapseAnalyticsClient.DeleteRoleAssignmentByName(this.WorkspaceName, this.RoleDefinitionId, this.ObjectId, scope); if (PassThru) { WriteObject(true); diff --git a/src/Synapse/Synapse/Common/HelpMessages.cs b/src/Synapse/Synapse/Common/HelpMessages.cs index cc410a427ec7..55c81c58c3d1 100644 --- a/src/Synapse/Synapse/Common/HelpMessages.cs +++ b/src/Synapse/Synapse/Common/HelpMessages.cs @@ -267,7 +267,7 @@ SELECT on dbo.myTable by public public const string RoleDefinitionId = "Id of the Role that is assigned to the principal."; - public const string RoleDefinitionName = "Name of the Role that is assigned to the principal."; + public const string RoleDefinitionName = "Name of the Role that is assigned to the principal."; public const string PrincipalId = "The Azure AD ObjectId of the User, Group or Service Principal."; @@ -417,6 +417,12 @@ SELECT on dbo.myTable by public public const string WorkspaceKeyName = "The name of the workspace key."; + public const string WorkspaceItemType = "The workspace item type."; + + public const string WorkspaceItem = "The workspace item."; + + public const string WorkspacePrincipalType = "The workspace principal type."; + public const string IsActiveCustomerManagedKey = "Indicates whether to activate the workspace after a customer managed key is provided."; public const string KeyResourceId = "The resource identifier of Synapse SQL Pool."; diff --git a/src/Synapse/Synapse/Common/Utils.cs b/src/Synapse/Synapse/Common/Utils.cs index 568c8210ad95..1fbe67ac40b9 100644 --- a/src/Synapse/Synapse/Common/Utils.cs +++ b/src/Synapse/Synapse/Common/Utils.cs @@ -13,6 +13,7 @@ using System.Linq; using System.Net; using System.Text.RegularExpressions; +using static Microsoft.Azure.Commands.Synapse.Models.SynapseConstants; namespace Microsoft.Azure.Commands.Synapse.Common { @@ -197,5 +198,46 @@ public static Response Poll(this Operation operation) { return operation.WaitForCompletionAsync().Result; } + + public static string GetItemTypeString(this WorkspaceItemType itemType) + { + string itemTypeString = null; + switch (itemType) + { + case WorkspaceItemType.ApacheSparkPool: + itemTypeString = "bigDataPools"; + break; + case WorkspaceItemType.IntegrationRuntime: + itemTypeString = "integrationRuntimes"; + break; + case WorkspaceItemType.LinkedService: + itemTypeString = "linkedServices"; + break; + case WorkspaceItemType.Credential: + itemTypeString = "credentials"; + break; + } + + return itemTypeString; + } + + public static string GetPrincipalTypeString(this PrincipalType principalType) + { + string principalTypeString = null; + switch (principalType) + { + case PrincipalType.User: + principalTypeString = "User"; + break; + case PrincipalType.Group: + principalTypeString = "Group"; + break; + case PrincipalType.ServicePrincipal: + principalTypeString = "ServicePrincipal"; + break; + } + + return principalTypeString; + } } } diff --git a/src/Synapse/Synapse/Models/PSRoleAssignmentDetails.cs b/src/Synapse/Synapse/Models/PSRoleAssignmentDetails.cs index fb8dba3a2560..e2dd309e3cd5 100644 --- a/src/Synapse/Synapse/Models/PSRoleAssignmentDetails.cs +++ b/src/Synapse/Synapse/Models/PSRoleAssignmentDetails.cs @@ -1,8 +1,4 @@ -using Azure.Analytics.Synapse.AccessControl; -using Azure.Analytics.Synapse.AccessControl.Models; -using System; -using System.Collections.Generic; -using System.Text; +using Azure.Analytics.Synapse.AccessControl.Models; namespace Microsoft.Azure.Commands.Synapse.Models { @@ -11,8 +7,10 @@ public class PSRoleAssignmentDetails public PSRoleAssignmentDetails(RoleAssignmentDetails roleAssignmentDetails) { this.RoleAssignmentId = roleAssignmentDetails.Id; - this.RoleDefinitionId = roleAssignmentDetails.RoleId; - this.ObjectId = roleAssignmentDetails.PrincipalId; + this.RoleDefinitionId = roleAssignmentDetails.RoleDefinitionId?.ToString(); + this.ObjectId = roleAssignmentDetails.PrincipalId?.ToString(); + this.Scope = roleAssignmentDetails.Scope; + this.principalType = roleAssignmentDetails.PrincipalType; } public string RoleAssignmentId { get; set; } @@ -20,5 +18,9 @@ public PSRoleAssignmentDetails(RoleAssignmentDetails roleAssignmentDetails) public string RoleDefinitionId { get; set; } public string ObjectId { get; set; } + + public string Scope { get; set; } + + public string principalType { get; set; } } } diff --git a/src/Synapse/Synapse/Models/PSSynapseRole.cs b/src/Synapse/Synapse/Models/PSSynapseRole.cs index 75c87ca58eb6..f45351bbb1fe 100644 --- a/src/Synapse/Synapse/Models/PSSynapseRole.cs +++ b/src/Synapse/Synapse/Models/PSSynapseRole.cs @@ -7,11 +7,15 @@ namespace Microsoft.Azure.Commands.Synapse.Models { public class PSSynapseRole { - public PSSynapseRole(SynapseRole synapseRole) + public PSSynapseRole(SynapseRoleDefinition synapseRole) { - this.Id = synapseRole.Id; + this.Id = synapseRole.Id?.ToString(); this.Name = synapseRole.Name; - this.IsBuiltIn = synapseRole.IsBuiltIn; + this.IsBuiltIn = synapseRole.IsBuiltIn.Value; + this.Description = synapseRole.Description; + this.AvailabilityStatus = synapseRole.AvailabilityStatus; + this.Permissions = synapseRole.Permissions; + this.Scopes = synapseRole.Scopes; } public string Id { get; set; } @@ -19,5 +23,13 @@ public PSSynapseRole(SynapseRole synapseRole) public string Name { get; set; } public bool IsBuiltIn { get; set; } + + public string Description { get; set; } + + public string AvailabilityStatus { get; set; } + + public IReadOnlyList Permissions { get; set; } + + public IReadOnlyList Scopes { get; set; } } } diff --git a/src/Synapse/Synapse/Models/SynapseAnalyticsRoleClient.cs b/src/Synapse/Synapse/Models/SynapseAnalyticsRoleClient.cs index fcac25967132..2f7cd1070d1e 100644 --- a/src/Synapse/Synapse/Models/SynapseAnalyticsRoleClient.cs +++ b/src/Synapse/Synapse/Models/SynapseAnalyticsRoleClient.cs @@ -1,5 +1,4 @@ -using Azure; -using Azure.Analytics.Synapse.AccessControl; +using Azure.Analytics.Synapse.AccessControl; using Azure.Analytics.Synapse.AccessControl.Models; using Microsoft.Azure.Commands.Common.Authentication.Abstractions; using Microsoft.Azure.Commands.Common.Exceptions; @@ -11,13 +10,13 @@ using System; using System.Collections.Generic; using System.Linq; -using System.Text; namespace Microsoft.Azure.Commands.Synapse.Models { public class SynapseAnalyticsRoleClient { - private readonly AccessControlClient _accessControlClient; + private readonly RoleAssignmentsClient _roleAssignmentsClient; + private readonly RoleDefinitionsClient _roleDefinitionsClient; private readonly ActiveDirectoryClient _activeDirectoryClient; public SynapseAnalyticsRoleClient(string workspaceName, IAzureContext context) @@ -29,45 +28,65 @@ public SynapseAnalyticsRoleClient(string workspaceName, IAzureContext context) string suffix = context.Environment.GetEndpoint(AzureEnvironment.ExtendedEndpoint.AzureSynapseAnalyticsEndpointSuffix); Uri uri = new Uri("https://" + workspaceName + "." + suffix); - _accessControlClient = new AccessControlClient(uri, new AzureSessionCredential(context)); + _roleAssignmentsClient = new RoleAssignmentsClient(uri, new AzureSessionCredential(context)); + _roleDefinitionsClient = new RoleDefinitionsClient(uri, new AzureSessionCredential(context)); _activeDirectoryClient = new ActiveDirectoryClient(context); } - public IReadOnlyList ListRoleAssignments(string roleDefinitionId = null, string objectId = null, string continuationToken = null) + public IReadOnlyList ListRoleAssignments(string roleDefinitionId = null, string objectId = null, string scope = null) { - return _accessControlClient.GetRoleAssignments(roleDefinitionId, objectId, continuationToken).Value; + return _roleAssignmentsClient.ListRoleAssignments(roleDefinitionId, objectId, scope).Value.Value; } public RoleAssignmentDetails GetRoleAssignmentById(string roleAssignmentId) { - return _accessControlClient.GetRoleAssignmentById(roleAssignmentId); + return _roleAssignmentsClient.GetRoleAssignmentById(roleAssignmentId); } - public RoleAssignmentDetails CreateRoleAssignment(string roleDefinitionId, string objectId) + public RoleAssignmentDetails CreateRoleAssignment(string roleAssignmentId, string roleDefinitionId, string objectId, string scope, string principalType) { - RoleAssignmentOptions roleAssignmentOptions = new RoleAssignmentOptions(roleDefinitionId, objectId); - return _accessControlClient.CreateRoleAssignment(roleAssignmentOptions).Value; + return _roleAssignmentsClient.CreateRoleAssignment(roleAssignmentId, new Guid(roleDefinitionId), new Guid(objectId), scope, principalType); } public void DeleteRoleAssignmentById(string roleAssignmentId) { - _accessControlClient.DeleteRoleAssignmentById(roleAssignmentId); + _roleAssignmentsClient.DeleteRoleAssignmentById(roleAssignmentId); } - public void DeleteRoleAssignmentByName(string roleDefinitionId, string objectId) + public void DeleteRoleAssignmentByName(string workspaceName, string roleDefinitionId, string objectId, string scope) { - string roleAssignmentId = roleDefinitionId + "-" + objectId; - _accessControlClient.DeleteRoleAssignmentById(roleAssignmentId); + var roleAssignments = _roleAssignmentsClient.ListRoleAssignments(roleDefinitionId, objectId).Value.Value + .Where(ra => string.IsNullOrEmpty(scope) || scope.Equals(ra.Scope, StringComparison.OrdinalIgnoreCase)) + .ToList(); + + if (roleAssignments.Count == 0) + { + throw new AzPSResourceNotFoundCloudException(String.Format(Resources.WorkspaceRoleAssignmentNotFound, workspaceName)); + } + else if (roleAssignments.Count == 1) + { + string roleAssignmentId = roleAssignments[0].Id; + _roleAssignmentsClient.DeleteRoleAssignmentById(roleAssignmentId); + } + else + { + throw new AzPSInvalidOperationException(String.Format(Resources.WorkspaceRoleAssignmentMoreThanOneFound, workspaceName, string.Join(", ", roleAssignments.Select(ra => ra.Id)))); + } } - public Pageable GetRoleDefinitions() + public IReadOnlyList ListRoleScopes() { - return _accessControlClient.GetRoleDefinitions(); + return _roleDefinitionsClient.ListScopes().Value; } - public SynapseRole GetRoleDefinitionById(string roleId) + public IReadOnlyList GetRoleDefinitions() { - return _accessControlClient.GetRoleDefinitionById(roleId).Value; + return _roleDefinitionsClient.ListRoleDefinitions().Value; + } + + public SynapseRoleDefinition GetRoleDefinitionById(string roleId) + { + return _roleDefinitionsClient.GetRoleDefinitionById(roleId).Value; } public string GetObjectIdFromSignInName(string signInName) @@ -76,12 +95,14 @@ public string GetObjectIdFromSignInName(string signInName) { return null; } + var odataQueryFilter = new Rest.Azure.OData.ODataQuery(s => s.UserPrincipalName == signInName); var user = _activeDirectoryClient.GraphClient.Users.List(odataQueryFilter.ToString()).SingleOrDefault(); if (user == null) { - throw new InvalidOperationException(String.Format(Resources.UserNameDoesNotExist, signInName)); + throw new AzPSInvalidOperationException(String.Format(Resources.UserNameDoesNotExist, signInName)); } + return user.ObjectId; } @@ -91,12 +112,14 @@ public string GetObjectIdFromServicePrincipalName(string servicePrincipalName) { return null; } + var odataQueryFilter = new Rest.Azure.OData.ODataQuery(s => s.ServicePrincipalNames.Contains(servicePrincipalName)); var servicePrincipal = _activeDirectoryClient.GraphClient.ServicePrincipals.List(odataQueryFilter.ToString()).SingleOrDefault(); if (servicePrincipal == null) { - throw new InvalidOperationException(String.Format(Resources.ServicePrincipalNameDoesNotExist, servicePrincipalName)); + throw new AzPSInvalidOperationException(String.Format(Resources.ServicePrincipalNameDoesNotExist, servicePrincipalName)); } + return servicePrincipal.ObjectId; } @@ -106,12 +129,31 @@ public string GetRoleDefinitionIdFromRoleDefinitionName(string roleDefinitionNam { return null; } - var roleDefinition = _accessControlClient.GetRoleDefinitions().SingleOrDefault(element => element.Name == roleDefinitionName); + + var roleDefinition = _roleDefinitionsClient.ListRoleDefinitions().Value.SingleOrDefault(element => element.Name.Equals(roleDefinitionName, StringComparison.OrdinalIgnoreCase)); if (roleDefinition == null) { - throw new InvalidOperationException(String.Format(Resources.RoleDefinitionNameDoesNotExist, roleDefinitionName)); + throw new AzPSInvalidOperationException(String.Format(Resources.RoleDefinitionNameDoesNotExist, roleDefinitionName)); + } + + return roleDefinition.Id.ToString(); + } + + public string GetRoleAssignmentScope(string workspaceName, string itemType, string item) + { + if (string.IsNullOrEmpty(workspaceName)) + { + throw new AzPSArgumentNullException("Parameter cannot be null", workspaceName); + } + + if (!string.IsNullOrEmpty(itemType) && !string.IsNullOrEmpty(item)) + { + return $"workspaces/{workspaceName}/{itemType}/{item}"; + } + else + { + return $"workspaces/{workspaceName}"; } - return roleDefinition.Id; } } } diff --git a/src/Synapse/Synapse/Models/SynapseConstants.cs b/src/Synapse/Synapse/Models/SynapseConstants.cs index 40feb2275d7d..3c1fd5dee740 100644 --- a/src/Synapse/Synapse/Models/SynapseConstants.cs +++ b/src/Synapse/Synapse/Models/SynapseConstants.cs @@ -72,6 +72,8 @@ public static class SynapseConstants public const string RoleDefinition = nameof(RoleDefinition); + public const string RoleScope = nameof(RoleScope); + public const string SparkDotNetJarFile = "local:///usr/hdp/current/spark2-client/jars/microsoft-spark.jar"; public const string SparkDotNetClassName = "org.apache.spark.deploy.dotnet.DotnetRunner"; @@ -225,5 +227,20 @@ public class DetectionType public const string Unsafe_Action = "Unsafe_Action"; public const string None = "None"; } + + public enum WorkspaceItemType + { + ApacheSparkPool, + IntegrationRuntime, + LinkedService, + Credential + } + + public enum PrincipalType + { + User, + Group, + ServicePrincipal + } } } diff --git a/src/Synapse/Synapse/Properties/Resources.Designer.cs b/src/Synapse/Synapse/Properties/Resources.Designer.cs index 750a79c12bce..8e8cee0a6783 100644 --- a/src/Synapse/Synapse/Properties/Resources.Designer.cs +++ b/src/Synapse/Synapse/Properties/Resources.Designer.cs @@ -1683,6 +1683,15 @@ internal static string WorkspaceDoesNotExist { } } + /// + /// Looks up a localized string similar to Either -ItemType and -Item should appear together or neither of them should be.. + /// + internal static string WorkspaceItemTypeAndItemNotAppearTogether { + get { + return ResourceManager.GetString("WorkspaceItemTypeAndItemNotAppearTogether", resourceCulture); + } + } + /// /// Looks up a localized string similar to A workspace key with name '{0}' in resource group '{1}' under workspace '{2}' already exists. Please use Update-AzSynapseWorkspaceKey to update an existing workspace key.. /// @@ -1691,5 +1700,23 @@ internal static string WorkspaceKeyExists { return ResourceManager.GetString("WorkspaceKeyExists", resourceCulture); } } + + /// + /// Looks up a localized string similar to More than one role assignment under workspace '{0}' was found: {1}. Please condiser using Remove-AzSynapseRoleAssignment -WorkspaceName <string> -RoleAssignmentId <string>. + /// + internal static string WorkspaceRoleAssignmentMoreThanOneFound { + get { + return ResourceManager.GetString("WorkspaceRoleAssignmentMoreThanOneFound", resourceCulture); + } + } + + /// + /// Looks up a localized string similar to Cannot find role assignment under workspace '{0}'.. + /// + internal static string WorkspaceRoleAssignmentNotFound { + get { + return ResourceManager.GetString("WorkspaceRoleAssignmentNotFound", resourceCulture); + } + } } } diff --git a/src/Synapse/Synapse/Properties/Resources.resx b/src/Synapse/Synapse/Properties/Resources.resx index 8f4bcbae688d..87de098baa23 100644 --- a/src/Synapse/Synapse/Properties/Resources.resx +++ b/src/Synapse/Synapse/Properties/Resources.resx @@ -657,9 +657,18 @@ Are you sure you want to continue? Updating workspace key '{0}' in resource group '{1}' under Workspace '{2}'. + + Either -ItemType and -Item should appear together or neither of them should be. + A workspace key with name '{0}' in resource group '{1}' under workspace '{2}' already exists. Please use Update-AzSynapseWorkspaceKey to update an existing workspace key. + + More than one role assignment under workspace '{0}' was found: {1}. Please condiser using Remove-AzSynapseRoleAssignment -WorkspaceName <string> -RoleAssignmentId <string> + + + Cannot find role assignment under workspace '{0}'. + ScanId is a required parameter for this cmdlet. Please explicitly provide it or pass the Get-AzSqlDatabaseVulnerabilityAssessmentScanRecord output via pipe. diff --git a/src/Synapse/Synapse/Synapse.csproj b/src/Synapse/Synapse/Synapse.csproj index 2a71eab958c6..a28485b6b9ee 100644 --- a/src/Synapse/Synapse/Synapse.csproj +++ b/src/Synapse/Synapse/Synapse.csproj @@ -13,7 +13,7 @@ - + diff --git a/src/Synapse/Synapse/help/Az.Synapse.md b/src/Synapse/Synapse/help/Az.Synapse.md index c32cf775b308..013ea2057426 100644 --- a/src/Synapse/Synapse/help/Az.Synapse.md +++ b/src/Synapse/Synapse/help/Az.Synapse.md @@ -83,6 +83,9 @@ Gets a Synapse Analytics role assignment. ### [Get-AzSynapseRoleDefinition](Get-AzSynapseRoleDefinition.md) Gets a Synapse Analytics role definition. +### [Get-AzSynapseRoleScope](Get-AzSynapseRoleScope.md) +Gets a Synapse Analytics role scope. + ### [Get-AzSynapseSparkJob](Get-AzSynapseSparkJob.md) Gets a Synapse Analytics Spark job. diff --git a/src/Synapse/Synapse/help/Get-AzSynapseRoleAssignment.md b/src/Synapse/Synapse/help/Get-AzSynapseRoleAssignment.md index 8814a0358499..799a2b871ad5 100644 --- a/src/Synapse/Synapse/help/Get-AzSynapseRoleAssignment.md +++ b/src/Synapse/Synapse/help/Get-AzSynapseRoleAssignment.md @@ -15,19 +15,22 @@ Gets a Synapse Analytics role assignment. ### GetByWorkspaceNameAndNameParameterSet (Default) ``` Get-AzSynapseRoleAssignment -WorkspaceName [-RoleDefinitionName ] [-SignInName ] - [-DefaultProfile ] [] + [-ItemType ] [-Item ] [-DefaultProfile ] + [] ``` ### GetByWorkspaceNameAndIdParameterSet ``` Get-AzSynapseRoleAssignment -WorkspaceName [-RoleDefinitionName ] [-ObjectId ] - [-DefaultProfile ] [] + [-ItemType ] [-Item ] [-DefaultProfile ] + [] ``` ### GetByWorkspaceNameAndRoleDefinitionIdAndObjectIdParameterSet ``` Get-AzSynapseRoleAssignment -WorkspaceName -RoleDefinitionId [-ObjectId ] - [-DefaultProfile ] [] + [-ItemType ] [-Item ] [-DefaultProfile ] + [] ``` ### GetByWorkspaceNameAndAssignmentIdParameterSet @@ -39,25 +42,29 @@ Get-AzSynapseRoleAssignment -WorkspaceName -RoleAssignmentId ### GetByWorkspaceNameAndServicePrincipalNameParameterSet ``` Get-AzSynapseRoleAssignment -WorkspaceName [-RoleDefinitionName ] - [-ServicePrincipalName ] [-DefaultProfile ] [] + [-ServicePrincipalName ] [-ItemType ] [-Item ] + [-DefaultProfile ] [] ``` ### GetByWorkspaceObjectAndNameParameterSet ``` Get-AzSynapseRoleAssignment -WorkspaceObject [-RoleDefinitionName ] - -SignInName [-DefaultProfile ] [] + -SignInName [-ItemType ] [-Item ] + [-DefaultProfile ] [] ``` ### GetByWorkspaceObjectAndIdParameterSet ``` Get-AzSynapseRoleAssignment -WorkspaceObject [-RoleDefinitionName ] - [-ObjectId ] [-DefaultProfile ] [] + [-ObjectId ] [-ItemType ] [-Item ] + [-DefaultProfile ] [] ``` ### GetByWorkspaceObjectAndRoleDefinitionIdAndObjectIdParameterSet ``` Get-AzSynapseRoleAssignment -WorkspaceObject -RoleDefinitionId - [-ObjectId ] [-DefaultProfile ] [] + [-ObjectId ] [-ItemType ] [-Item ] + [-DefaultProfile ] [] ``` ### GetByWorkspaceObjectAndAssignmentIdParameterSet @@ -69,7 +76,8 @@ Get-AzSynapseRoleAssignment -WorkspaceObject -RoleAssignmen ### GetByWorkspaceObjectAndServicePrincipalNameParameterSet ``` Get-AzSynapseRoleAssignment -WorkspaceObject [-RoleDefinitionName ] - -ServicePrincipalName [-DefaultProfile ] [] + -ServicePrincipalName [-ItemType ] [-Item ] + [-DefaultProfile ] [] ``` ## DESCRIPTION @@ -86,14 +94,14 @@ PS C:\> Get-AzSynapseRoleAssignment -WorkspaceName ContosoWorkspace This command gets all role assignments under a workspace. ### Example 2 -```powershells +```powershell PS C:\> Get-AzSynapseRoleAssignment -WorkspaceName ContosoWorkspace -RoleDefinitionName ContosoRole ``` This command gets all role assignments under workspace ContosoWorkspace with role name ContosoRole. ### Example 3 -```powershells +```powershell PS C:\> Get-AzSynapseRoleAssignment -WorkspaceName ContosoWorkspace -RoleDefinitionName ContosoRole -SignInName ContosoName ``` @@ -101,6 +109,20 @@ This command gets a role assignment under workspace ContosoWorkspace with role n ### Example 4 ```powershell +PS C:\> Get-AzSynapseRoleAssignment -WorkspaceName ContosoWorkspace -RoleDefinitionName ContosoRole -SignInName ContosoName -ItemType ContosoItemType +``` + +This command gets role assignments under workspace ContosoWorkspace with role name ContosoRole, user principal name ContosoName and under itemtype ContosoItemtype. + +### Example 5 +```powershell +PS C:\> Get-AzSynapseRoleAssignment -WorkspaceName ContosoWorkspace -RoleDefinitionName ContosoRole -SignInName ContosoName -ItemType ContosoItemType -Item ContosoItem +``` + +This command gets a role assignment under workspace ContosoWorkspace with role name ContosoRole, user principal name ContosoName, ContosoItemType and ContosoItem. + +### Example 6 +```powershell PS C:\> $ws = Get-AzSynapseWorkspace -Name ContosoWorkspace PS C:\> $ws | Get-AzSynapseRoleAssignment ``` @@ -124,6 +146,37 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -Item +The item of Azure Synapse workspace. + +```yaml +Type: System.String +Parameter Sets: GetByWorkspaceNameAndNameParameterSet, GetByWorkspaceNameAndIdParameterSet, GetByWorkspaceNameAndRoleDefinitionIdAndObjectIdParameterSet, GetByWorkspaceNameAndServicePrincipalNameParameterSet, GetByWorkspaceObjectAndNameParameterSet, GetByWorkspaceObjectAndIdParameterSet, GetByWorkspaceObjectAndRoleDefinitionIdAndObjectIdParameterSet, GetByWorkspaceObjectAndServicePrincipalNameParameterSet +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ItemType +The itemtype of Azure Synapse workspace. + +```yaml +Type: Microsoft.Azure.Commands.Synapse.Models.SynapseConstants+WorkspaceItemType +Parameter Sets: GetByWorkspaceNameAndNameParameterSet, GetByWorkspaceNameAndIdParameterSet, GetByWorkspaceNameAndRoleDefinitionIdAndObjectIdParameterSet, GetByWorkspaceNameAndServicePrincipalNameParameterSet, GetByWorkspaceObjectAndNameParameterSet, GetByWorkspaceObjectAndIdParameterSet, GetByWorkspaceObjectAndRoleDefinitionIdAndObjectIdParameterSet, GetByWorkspaceObjectAndServicePrincipalNameParameterSet +Aliases: +Accepted values: ApacheSparkPool, IntegrationRuntime, LinkedService, Credential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -ObjectId The Azure AD ObjectId of the User, Group or Service Principal. diff --git a/src/Synapse/Synapse/help/Get-AzSynapseRoleScope.md b/src/Synapse/Synapse/help/Get-AzSynapseRoleScope.md new file mode 100644 index 000000000000..318e339b213b --- /dev/null +++ b/src/Synapse/Synapse/help/Get-AzSynapseRoleScope.md @@ -0,0 +1,122 @@ +--- +external help file: Microsoft.Azure.PowerShell.Cmdlets.Synapse.dll-Help.xml +Module Name: Az.Synapse +online version: https://docs.microsoft.com/powershell/module/az.synapse/get-azsynapserolescope +schema: 2.0.0 +--- + +# Get-AzSynapseRoleScope + +## SYNOPSIS +Gets a Synapse Analytics role scope. + +## SYNTAX + +### GetByWorkspaceNameParameterSet (Default) +``` +Get-AzSynapseRoleScope -WorkspaceName [-ResourceId ] + [-DefaultProfile ] [] +``` + +### GetByWorkspaceObjectParameterSet +``` +Get-AzSynapseRoleScope -WorkspaceObject [-ResourceId ] + [-DefaultProfile ] [] +``` + +## DESCRIPTION +The **Get-AzSynapseRoleScope** cmdlet gets a Azure Synapse Analytics Role Scope. + +## EXAMPLES + +### Example 1 +```powershell +PS C:\> Get-AzSynapseRoleScope -WorkspaceName ContosoWorkspace +``` + +This command gets all role scopes under a workspace. + +### Example 6 +```powershell +PS C:\> $ws = Get-AzSynapseWorkspace -Name ContosoWorkspace +PS C:\> $ws | Get-AzSynapseRoleScope +``` + +This command gets all role scopes under a workspace through pipeline. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer +Parameter Sets: (All) +Aliases: AzContext, AzureRmContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceId +Resource identifier of Synapse workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +Name of Synapse workspace. + +```yaml +Type: System.String +Parameter Sets: GetByWorkspaceNameParameterSet +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceObject +workspace input object, usually passed through the pipeline. + +```yaml +Type: Microsoft.Azure.Commands.Synapse.Models.PSSynapseWorkspace +Parameter Sets: GetByWorkspaceObjectParameterSet +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.Commands.Synapse.Models.PSSynapseWorkspace + +## OUTPUTS + +### Microsoft.Azure.Commands.Synapse.Models.PSSynapseRole + +## NOTES + +## RELATED LINKS diff --git a/src/Synapse/Synapse/help/New-AzSynapseRoleAssignment.md b/src/Synapse/Synapse/help/New-AzSynapseRoleAssignment.md index cd586cff9a8c..1a7b26dec874 100644 --- a/src/Synapse/Synapse/help/New-AzSynapseRoleAssignment.md +++ b/src/Synapse/Synapse/help/New-AzSynapseRoleAssignment.md @@ -14,52 +14,58 @@ Creates a Synapse Analytics role assignment. ### NewByWorkspaceNameAndNameParameterSet (Default) ``` -New-AzSynapseRoleAssignment -WorkspaceName -RoleDefinitionName -SignInName [-AsJob] +New-AzSynapseRoleAssignment -WorkspaceName -RoleDefinitionName -SignInName + [-ItemType ] [-Item ] [-PrincipalType ] [-AsJob] [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ### NewByWorkspaceNameAndIdParameterSet ``` -New-AzSynapseRoleAssignment -WorkspaceName -RoleDefinitionName -ObjectId [-AsJob] +New-AzSynapseRoleAssignment -WorkspaceName -RoleDefinitionName -ObjectId + [-ItemType ] [-Item ] [-PrincipalType ] [-AsJob] [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ### NewByWorkspaceNameAndRoleDefinitionIdAndObjectIdParameterSet ``` -New-AzSynapseRoleAssignment -WorkspaceName -RoleDefinitionId -ObjectId [-AsJob] +New-AzSynapseRoleAssignment -WorkspaceName -RoleDefinitionId -ObjectId + [-ItemType ] [-Item ] [-PrincipalType ] [-AsJob] [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ### NewByWorkspaceNameAndServicePrincipalNameParameterSet ``` New-AzSynapseRoleAssignment -WorkspaceName -RoleDefinitionName -ServicePrincipalName - [-AsJob] [-DefaultProfile ] [-WhatIf] [-Confirm] [] + [-ItemType ] [-Item ] [-PrincipalType ] [-AsJob] + [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ### NewByWorkspaceObjectAndNameParameterSet ``` New-AzSynapseRoleAssignment -WorkspaceObject -RoleDefinitionName - -SignInName [-AsJob] [-DefaultProfile ] [-WhatIf] [-Confirm] - [] + -SignInName [-ItemType ] [-Item ] [-PrincipalType ] + [-AsJob] [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ### NewByWorkspaceObjectAndIdParameterSet ``` New-AzSynapseRoleAssignment -WorkspaceObject -RoleDefinitionName - -ObjectId [-AsJob] [-DefaultProfile ] [-WhatIf] [-Confirm] - [] + -ObjectId [-ItemType ] [-Item ] [-PrincipalType ] [-AsJob] + [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ### NewByWorkspaceObjectAndRoleDefinitionIdAndObjectIdParameterSet ``` New-AzSynapseRoleAssignment -WorkspaceObject -RoleDefinitionId -ObjectId - [-AsJob] [-DefaultProfile ] [-WhatIf] [-Confirm] [] + [-ItemType ] [-Item ] [-PrincipalType ] [-AsJob] + [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ### NewByWorkspaceObjectAndServicePrincipalNameParameterSet ``` New-AzSynapseRoleAssignment -WorkspaceObject -RoleDefinitionName - -ServicePrincipalName [-AsJob] [-DefaultProfile ] [-WhatIf] [-Confirm] + -ServicePrincipalName [-ItemType ] [-Item ] + [-PrincipalType ] [-AsJob] [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` @@ -77,6 +83,20 @@ This command assigns ContosoRole to the user whose principal name is ContosoName ### Example 2 ```powershell +PS C:\> New-AzSynapseRoleAssignment -WorkspaceName ContosoWorkspace -RoleDefinitionName ContosoRole -SignInName ContosoName -ItemType ContosoItemType -Item ContosoItem +``` + +This command assigns ContosoRole to the user whose principal name is ContosoName and item type is ContosoItemType, item is ContosoItem. + +### Example 3 +```powershell +PS C:\> New-AzSynapseRoleAssignment -WorkspaceName ContosoWorkspace -RoleDefinitionName ContosoRole -SignInName ContosoName -ItemType ContosoItemType -Item ContosoItem -PrincipalType ContosoPrincipalType +``` + +This command assigns ContosoRole to the user whose principal name is ContosoName and item type is ContosoItemType, item is ContosoItem, principal type is ContosoPrincipalType. + +### Example 4 +```powershell PS C:\> $ws = Get-AzSynapseWorkspace -Name ContosoWorkspace PS C:\> $ws | New-AzSynapseRoleAssignment -RoleDefinitionName ContosoRole -SignInName ContosoName ``` @@ -115,6 +135,37 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -Item +The workspace item. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ItemType +The workspace item type. + +```yaml +Type: Microsoft.Azure.Commands.Synapse.Models.SynapseConstants+WorkspaceItemType +Parameter Sets: (All) +Aliases: +Accepted values: ApacheSparkPool, IntegrationRuntime, LinkedService, Credential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -ObjectId The Azure AD ObjectId of the User, Group or Service Principal. @@ -130,6 +181,22 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -PrincipalType +The workspace principal type. + +```yaml +Type: Microsoft.Azure.Commands.Synapse.Models.SynapseConstants+PrincipalType +Parameter Sets: (All) +Aliases: +Accepted values: User, Group, ServicePrincipal + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -RoleDefinitionId Id of the Role that is assigned to the principal. diff --git a/src/Synapse/Synapse/help/Remove-AzSynapseRoleAssignment.md b/src/Synapse/Synapse/help/Remove-AzSynapseRoleAssignment.md index 91b57d8d8cd1..dc87125b397a 100644 --- a/src/Synapse/Synapse/help/Remove-AzSynapseRoleAssignment.md +++ b/src/Synapse/Synapse/help/Remove-AzSynapseRoleAssignment.md @@ -15,7 +15,8 @@ Deletes a Synapse Analytics role assignment. ### RemoveByWorkspaceNameAndNameParameterSet (Default) ``` Remove-AzSynapseRoleAssignment -WorkspaceName -RoleDefinitionName -SignInName - [-PassThru] [-AsJob] [-DefaultProfile ] [-WhatIf] [-Confirm] [] + [-ItemType ] [-Item ] [-PassThru] [-AsJob] + [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ### RemoveByWorkspaceNameAndIdParameterSet @@ -27,20 +28,22 @@ Remove-AzSynapseRoleAssignment -WorkspaceName -RoleAssignmentId -RoleDefinitionName -ObjectId - [-PassThru] [-AsJob] [-DefaultProfile ] [-WhatIf] [-Confirm] [] + [-ItemType ] [-Item ] [-PassThru] [-AsJob] + [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ### RemoveByWorkspaceNameAndRoleDefinitionIdParameterSet ``` Remove-AzSynapseRoleAssignment -WorkspaceName -RoleDefinitionId -ObjectId - [-PassThru] [-AsJob] [-DefaultProfile ] [-WhatIf] [-Confirm] [] + [-ItemType ] [-Item ] [-PassThru] [-AsJob] + [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ### RemoveByWorkspaceNameAndServicePrincipalNameParameterSet ``` Remove-AzSynapseRoleAssignment -WorkspaceName -RoleDefinitionName - -ServicePrincipalName [-PassThru] [-AsJob] [-DefaultProfile ] [-WhatIf] - [-Confirm] [] + -ServicePrincipalName [-ItemType ] [-Item ] [-PassThru] [-AsJob] + [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ### RemoveByWorkspaceObjectAndIdParameterSet @@ -52,29 +55,29 @@ Remove-AzSynapseRoleAssignment -WorkspaceObject -RoleAssign ### RemoveByWorkspaceObjectAndNameParameterSet ``` Remove-AzSynapseRoleAssignment -WorkspaceObject -RoleDefinitionName - -SignInName [-PassThru] [-AsJob] [-DefaultProfile ] [-WhatIf] [-Confirm] - [] + -SignInName [-ItemType ] [-Item ] [-PassThru] [-AsJob] + [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ### RemoveByWorkspaceObjectAndObjectIdParameterSet ``` Remove-AzSynapseRoleAssignment -WorkspaceObject -RoleDefinitionName - -ObjectId [-PassThru] [-AsJob] [-DefaultProfile ] [-WhatIf] [-Confirm] - [] + -ObjectId [-ItemType ] [-Item ] [-PassThru] [-AsJob] + [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ### RemoveByWorkspaceObjectAndRoleDefinitionIdParameterSet ``` Remove-AzSynapseRoleAssignment -WorkspaceObject -RoleDefinitionId - -ObjectId [-PassThru] [-AsJob] [-DefaultProfile ] [-WhatIf] [-Confirm] - [] + -ObjectId [-ItemType ] [-Item ] [-PassThru] [-AsJob] + [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ### RemoveByWorkspaceObjectAndServicePrincipalNameParameterSet ``` Remove-AzSynapseRoleAssignment -WorkspaceObject -RoleDefinitionName - -ServicePrincipalName [-PassThru] [-AsJob] [-DefaultProfile ] [-WhatIf] - [-Confirm] [] + -ServicePrincipalName [-ItemType ] [-Item ] [-PassThru] [-AsJob] + [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ## DESCRIPTION @@ -94,10 +97,17 @@ This command deletes an Azure Synapse Analytics role assignment with a role assi PS C:\> Remove-AzSynapseRoleAssignment -WorkspaceName ContosoWorkspace -RoleAssignmentName ContosoRole -SignInName ContosoName ``` -This command deletes an Azure Synapse Analytics role assignment with a role name and a user principal name. +This command deletes an Azure Synapse Analytics role assignment at workspace level with a role name and a user principal name. ### Example 3 ```powershell +PS C:\> Remove-AzSynapseRoleAssignment -WorkspaceName ContosoWorkspace -RoleAssignmentName ContosoRole -SignInName ContosoName -ItemType ContosoItemType -Item ContosoItem +``` + +This command deletes an Azure Synapse Analytics role assignment with a role name, a user principal name, a item type and a item. + +### Example 4 +```powershell PS C:\> $ws = Get-AzSynapseWorkspace -Name ContosoWorkspace PS C:\> $ws | Remove-AzSynapseRoleAssignment -RoleAssignmentId ContosoRoleAssignmentId ``` @@ -136,6 +146,37 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -Item +The item of Azure Synapse workspace. + +```yaml +Type: System.String +Parameter Sets: RemoveByWorkspaceNameAndNameParameterSet, RemoveByWorkspaceNameAndObjectIdParameterSet, RemoveByWorkspaceNameAndRoleDefinitionIdParameterSet, RemoveByWorkspaceNameAndServicePrincipalNameParameterSet, RemoveByWorkspaceObjectAndNameParameterSet, RemoveByWorkspaceObjectAndObjectIdParameterSet, RemoveByWorkspaceObjectAndRoleDefinitionIdParameterSet, RemoveByWorkspaceObjectAndServicePrincipalNameParameterSet +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ItemType +The itemtype of Azure Synapse workspace. + +```yaml +Type: Microsoft.Azure.Commands.Synapse.Models.SynapseConstants+WorkspaceItemType +Parameter Sets: RemoveByWorkspaceNameAndNameParameterSet, RemoveByWorkspaceNameAndObjectIdParameterSet, RemoveByWorkspaceNameAndRoleDefinitionIdParameterSet, RemoveByWorkspaceNameAndServicePrincipalNameParameterSet, RemoveByWorkspaceObjectAndNameParameterSet, RemoveByWorkspaceObjectAndObjectIdParameterSet, RemoveByWorkspaceObjectAndRoleDefinitionIdParameterSet, RemoveByWorkspaceObjectAndServicePrincipalNameParameterSet +Aliases: +Accepted values: ApacheSparkPool, IntegrationRuntime, LinkedService, Credential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -ObjectId The Azure AD ObjectId of the User, Group or Service Principal. @@ -317,3 +358,5 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## NOTES ## RELATED LINKS + +## RELATED LINKS