Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated support for synapse role assignment and Added support for role scope #14172

Merged
Merged
Show file tree
Hide file tree
Changes from 32 commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
062146a
fixing compliationerror
zesluo Feb 10, 2021
97f37c4
getroleassignment
zesluo Feb 19, 2021
d2fa903
refine parametersetname
zesluo Mar 12, 2021
b1cd8b5
Merge branch 'master' into zeshi/accesscontrolnewsdk
zesluo Mar 12, 2021
7197b83
add scope to newroleassignment
zesluo Mar 15, 2021
5487fc7
add list scope command
zesluo Mar 15, 2021
0d10f47
refine new-azuresynapseroleassignment
zesluo Mar 16, 2021
f412876
add Itemtype and Item
zesluo Mar 16, 2021
e787196
refine newAzureSynapseRoleAssignment
zesluo Mar 19, 2021
df14f92
remove unnecessary feeds
zesluo Mar 19, 2021
2a509b7
refine deleteroleassignmentid
zesluo Mar 23, 2021
84236ef
refine resourceid name
zesluo Mar 23, 2021
6a3ca26
improve remove and getroleassignments
zesluo Mar 31, 2021
585d3f7
itemtype and item improvement
zesluo Apr 1, 2021
7284040
Fix a few issues
Apr 2, 2021
2583a84
Correct exception types
Apr 2, 2021
91e1e29
add principle type
zesluo Apr 5, 2021
c8555d3
add principaltype
zesluo Apr 6, 2021
ee1ba9a
Merge branch 'master' of https://github.com/Azure/azure-powershell in…
zesluo Apr 6, 2021
ab1f2e7
caseinsent
zesluo Apr 6, 2021
12ea62c
update changelog
zesluo Apr 6, 2021
850226c
add doc for get-azsyanpserolescope
zesluo Apr 6, 2021
c8184ca
remove powershlles
zesluo Apr 6, 2021
24232cb
update help doc
zesluo Apr 6, 2021
351318e
add objectid back
zesluo Apr 6, 2021
eba1c34
update Az.Synapse.md
zesluo Apr 6, 2021
4f35647
update auto generated mdfiles
zesluo Apr 6, 2021
43c8e1d
update changelog
zesluo Apr 7, 2021
d6f8a4c
update changelog2
zesluo Apr 7, 2021
bc5873e
update changelog3
zesluo Apr 7, 2021
99336aa
update changelog4
zesluo Apr 7, 2021
11576cd
update changelog5
zesluo Apr 8, 2021
ce1fb1f
update changelog6
zesluo Apr 8, 2021
05c3fc1
update changelog7
zesluo Apr 8, 2021
4e6c2fa
Update src/Synapse/Synapse/ChangeLog.md
zesluo Apr 8, 2021
474ae0d
Merge branch 'release-2021-04-13' into zeshi/accesscontrolnewsdk
BethanyZhou Apr 8, 2021
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/Synapse/Synapse/Az.Synapse.psd1
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ CmdletsToExport = 'Get-AzSynapseSparkJob', 'Stop-AzSynapseSparkJob',
'Remove-AzSynapseFirewallRule', 'Get-AzSynapseFirewallRule',
'Update-AzSynapseFirewallRule', 'Get-AzSynapseRoleAssignment',
'New-AzSynapseRoleAssignment', 'Remove-AzSynapseRoleAssignment',
'Get-AzSynapseRoleDefinition', 'Get-AzSynapseSqlDatabase',
'Get-AzSynapseRoleDefinition', 'Get-AzSynapseRoleScope', 'Get-AzSynapseSqlDatabase',
'New-AzSynapseSqlDatabase', 'Remove-AzSynapseSqlDatabase',
'Update-AzSynapseSqlDatabase', 'Test-AzSynapseSqlDatabase',
'Disable-AzSynapseSqlPoolSensitivityRecommendation',
Expand Down
6 changes: 6 additions & 0 deletions src/Synapse/Synapse/ChangeLog.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,12 @@
- Additional information about change #1
-->
## Upcoming Release
* Add support for Synapse Role-based access control
* Upgraded Azure.Analytics.Synapse.AccessControl to 1.0.0-preview.3
* Updated `New-AzSynapseRoleAssignment` cmdlet
* Updated `Get-AzSynapseRoleAssignment` cmdlet
* Updated `Remove-AzSynapseRoleAssignment` cmdlet
* Added `Get-AzSynapseRoleScope` cmdlet
zesluo marked this conversation as resolved.
Show resolved Hide resolved
* Renamed -AllowAllAzureIP to -AllowAllAzureIp and changed IP range to 0.0.0.0-0.0.0.0
* Added -AllowAllIp and set IP range to 0.0.0.0-255.255.255.255
* Fixed the issue of retrieving Apache Spark pool information through management API
Expand Down
Original file line number Diff line number Diff line change
@@ -1,13 +1,11 @@
using Azure.Analytics.Synapse.AccessControl;
using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
using Microsoft.Azure.Commands.Synapse.Common;
using Microsoft.Azure.Commands.Synapse.Models;
using Microsoft.WindowsAzure.Commands.Utilities.Common;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Management.Automation;
using System.Text;
using System.Text.RegularExpressions;
using static Microsoft.Azure.Commands.Synapse.Models.SynapseConstants;

namespace Microsoft.Azure.Commands.Synapse
{
Expand Down Expand Up @@ -110,6 +108,44 @@ public class GetAzureSynapseRoleAssignment : SynapseRoleCmdletBase
[ValidateNotNullOrEmpty]
public string ObjectId { get; set; }

[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndNameParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndIdParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndRoleDefinitionIdAndObjectIdParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndServicePrincipalNameParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndNameParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndIdParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndRoleDefinitionIdAndObjectIdParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndServicePrincipalNameParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
[ValidateNotNullOrEmpty]
public WorkspaceItemType ItemType { get; set; }

[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndNameParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndIdParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndRoleDefinitionIdAndObjectIdParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndServicePrincipalNameParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndNameParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndIdParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndRoleDefinitionIdAndObjectIdParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndServicePrincipalNameParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
[ValidateNotNullOrEmpty]
public string Item { get; set; }

public override void ExecuteCmdlet()
{
if (this.IsParameterBound(c => c.WorkspaceObject))
Expand All @@ -132,22 +168,39 @@ public override void ExecuteCmdlet()
this.ObjectId = SynapseAnalyticsClient.GetObjectIdFromServicePrincipalName(this.ServicePrincipalName);
}

string itemType = null;
if (this.IsParameterBound(c => c.ItemType))
{
itemType = this.ItemType.GetItemTypeString();
}

if (this.IsParameterBound(c => c.RoleAssignmentId))
{
WriteObject(new PSRoleAssignmentDetails(SynapseAnalyticsClient.GetRoleAssignmentById(this.RoleAssignmentId)));
}
else
{
var roleAssignment = SynapseAnalyticsClient.ListRoleAssignments(this.RoleDefinitionId, this.ObjectId)
.Select(element => new PSRoleAssignmentDetails(element));
var roleAssignments = SynapseAnalyticsClient.ListRoleAssignments(this.RoleDefinitionId, this.ObjectId).Select(element => new PSRoleAssignmentDetails(element));
string allowedScopePattern = null;
if (this.IsParameterBound(c => c.ItemType) && this.IsParameterBound(c => c.Item))
{
allowedScopePattern = $"(^workspaces/{this.WorkspaceName}$)|(^workspaces/{this.WorkspaceName}/{itemType}/{this.Item}$)";
}
else if (this.IsParameterBound(c => c.ItemType) && !this.IsParameterBound(c => c.Item))
{
allowedScopePattern = $"(^workspaces/{this.WorkspaceName}$)|(^workspaces/{this.WorkspaceName}/{itemType}/[^/]+$)";
}
else if (!this.IsParameterBound(c => c.ItemType) && this.IsParameterBound(c => c.Item))
{
allowedScopePattern = $"(^workspaces/{this.WorkspaceName}$)|(^workspaces/{this.WorkspaceName}/[^/]+/{this.Item}$)";
}
zesluo marked this conversation as resolved.
Show resolved Hide resolved

// TODO: Currently, when only `ObjectId` is specified, the cmdlet returns incorrect result. Filter from client side as a workaround
if (!string.IsNullOrEmpty(this.ObjectId))
if (!string.IsNullOrEmpty(allowedScopePattern))
{
roleAssignment = roleAssignment.Where(element => element.ObjectId == this.ObjectId);
roleAssignments = roleAssignments.Where(ra => ra.Scope == null || Regex.IsMatch(ra.Scope, allowedScopePattern, RegexOptions.IgnoreCase));
}

WriteObject(roleAssignment, true);
WriteObject(roleAssignments, true);
}
}
}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
using Microsoft.Azure.Commands.Common.Exceptions;
using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
using Microsoft.Azure.Commands.Synapse.Common;
using Microsoft.Azure.Commands.Synapse.Models;
using Microsoft.Azure.Commands.Synapse.Properties;
using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
using Microsoft.WindowsAzure.Commands.Utilities.Common;
using System;
using System.Linq;
using System.Management.Automation;

namespace Microsoft.Azure.Commands.Synapse
{
[Cmdlet(VerbsCommon.Get, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + SynapseConstants.SynapsePrefix + SynapseConstants.RoleScope,
DefaultParameterSetName = GetByWorkspaceNameParameterSet)]
[OutputType(typeof(PSSynapseRole))]
public class GetAzureSynapseRoleScope : SynapseRoleCmdletBase
{
private const string GetByWorkspaceNameParameterSet = "GetByWorkspaceNameParameterSet";
private const string GetByWorkspaceObjectParameterSet = "GetByWorkspaceObjectParameterSet";

[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameParameterSet,
Mandatory = true, HelpMessage = HelpMessages.WorkspaceName)]
[ResourceNameCompleter(ResourceTypes.Workspace, "ResourceGroupName")]
[ValidateNotNullOrEmpty]
public override string WorkspaceName { get; set; }

[Parameter(ValueFromPipeline = true, ParameterSetName = GetByWorkspaceObjectParameterSet,
Mandatory = true, HelpMessage = HelpMessages.WorkspaceObject)]
[ValidateNotNull]
public PSSynapseWorkspace WorkspaceObject { get; set; }

[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceResourceId)]
[Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectParameterSet,
Mandatory = false, HelpMessage = HelpMessages.WorkspaceResourceId)]
[ValidateNotNullOrEmpty]
public string ResourceId { get; set; }

public override void ExecuteCmdlet()
{
if (this.IsParameterBound(c => c.ResourceId))
{
var resourceIdentifier = new ResourceIdentifier(this.ResourceId);
this.WorkspaceName = resourceIdentifier.ResourceName;
}

if (this.IsParameterBound(c => c.WorkspaceObject))
{
this.WorkspaceName = this.WorkspaceObject.Name;
}

var roleScopes = SynapseAnalyticsClient.ListRoleScopes();
WriteObject(roleScopes, true);
}
}
}
Original file line number Diff line number Diff line change
@@ -1,13 +1,12 @@
using Azure.Analytics.Synapse.AccessControl.Models;
using Microsoft.Azure.Commands.Common.Exceptions;
using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
using Microsoft.Azure.Commands.Synapse.Common;
using Microsoft.Azure.Commands.Synapse.Models;
using Microsoft.Azure.Commands.Synapse.Properties;
using Microsoft.WindowsAzure.Commands.Utilities.Common;
using System;
using System.Collections.Generic;
using System.Management.Automation;
using System.Text;
using static Microsoft.Azure.Commands.Synapse.Models.SynapseConstants;

namespace Microsoft.Azure.Commands.Synapse
{
Expand Down Expand Up @@ -97,6 +96,20 @@ public class NewAzureSynapseRoleAssignment : SynapseRoleCmdletBase
[ValidateNotNullOrEmpty]
public string ObjectId { get; set; }

// Compared with Remove-AzSynapseRoleAssignment and Get-AzSynapseRoleAssignment, no need to specify roleAssignment, it is created as
// random uuid. Hence unnecessary to specify the ParameterSetName
[Parameter(ValueFromPipelineByPropertyName = false, Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
[ValidateNotNullOrEmpty]
public WorkspaceItemType ItemType { get; set; }

[Parameter(ValueFromPipelineByPropertyName = false, Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
[ValidateNotNullOrEmpty]
public string Item { get; set; }
zesluo marked this conversation as resolved.
Show resolved Hide resolved

[Parameter(ValueFromPipelineByPropertyName = false, Mandatory = false, HelpMessage = HelpMessages.WorkspacePrincipalType)]
[ValidateNotNullOrEmpty]
public PrincipalType PrincipalType { get; set; }

[Parameter(Mandatory = false, HelpMessage = HelpMessages.AsJob)]
public SwitchParameter AsJob { get; set; }

Expand All @@ -122,9 +135,30 @@ public override void ExecuteCmdlet()
this.ObjectId = SynapseAnalyticsClient.GetObjectIdFromServicePrincipalName(this.ServicePrincipalName);
}

string itemType = null;
if (this.IsParameterBound(c => c.ItemType))
{
itemType = this.ItemType.GetItemTypeString();
}

string principalType = null;
if (this.IsParameterBound(c => c.PrincipalType))
{
principalType = this.PrincipalType.GetPrincipalTypeString();
}

if (this.ShouldProcess(this.WorkspaceName, String.Format(Resources.CreatingSynapseRoleAssignment, this.WorkspaceName, this.RoleDefinitionId, this.ObjectId)))
{
PSRoleAssignmentDetails roleAssignmentDetails = new PSRoleAssignmentDetails(SynapseAnalyticsClient.CreateRoleAssignment(this.RoleDefinitionId, this.ObjectId));
// Item type and item should appear Report error if either item type or item is specified.
if ((!this.IsParameterBound(c => c.ItemType) && this.IsParameterBound(c => c.Item)) ||
(this.IsParameterBound(c => c.ItemType) && !this.IsParameterBound(c => c.Item)))
{
throw new AzPSInvalidOperationException(String.Format(Resources.WorkspaceItemTypeAndItemNotAppearTogether));
}

string roleAssignmentId = Guid.NewGuid().ToString();
string scope = SynapseAnalyticsClient.GetRoleAssignmentScope(this.WorkspaceName, itemType, this.Item);
PSRoleAssignmentDetails roleAssignmentDetails = new PSRoleAssignmentDetails(SynapseAnalyticsClient.CreateRoleAssignment(roleAssignmentId, this.RoleDefinitionId, this.ObjectId, scope, principalType));
WriteObject(roleAssignmentDetails);
}
}
Expand Down
Loading