SQL Auditing: Remove AUDIT_CHANGE_GROUP from available AuditActionGroups #4990
Conversation
Remove AUDIT_CHANGE_GROUP from available AuditActionGroups and update markdown files.
| @@ -18,8 +18,7 @@ public enum AuditActionGroups | |||
| { | |||
| BATCH_STARTED_GROUP, | |||
| BATCH_COMPLETED_GROUP, | |||
| APPLICATION_ROLE_CHANGE_PASSWORD_GROUP, | |||
| AUDIT_CHANGE_GROUP, | |||
| APPLICATION_ROLE_CHANGE_PASSWORD_GROUP, | |||
There was a problem hiding this comment.
So, this is a breaking change, right? You will need to deprecate these values, and, if provided by the user, map them into other values. Otherwise, users with scripts that already use these values will be broken.
There was a problem hiding this comment.
@markcowl AUDIT_CHANGE_GROUP was never supported. This action group was mistakenly added, and when provided the backend throws an exception anyway.
There was a problem hiding this comment.
Also, it cannot be mapped to anything, it should just be removed, as it shouldn't have been there in the first place.
There was a problem hiding this comment.
@ranisha2 just to be 100% sure (AUDIT_CHANGE_GROUP value for any parameter that accepts an AuditActionGroup enum, then it would have never worked and always thrown an exception?
There was a problem hiding this comment.
@cormacpayne When enabling a policy with AUDIT_CHANGE_GROUP value, our backend will always throw an exception. The only way to provide this value with no exception to be thrown is when disabling the policy, which does not make any sense as this value does not take effect when the policy is disabled.
There was a problem hiding this comment.
@ranisha2 But could there be a customer script that used this value when disabling a policy? As long as there can be no working script that uses this value, then this change is OK, otherwise, it is a breaking change, and the proper thing is to deprecate the value rather than removing it. If possible, for enable scenarios, the value would be mapped to anohter (default) value, although throwing would be OK, if that is what the service does now.
|
@ranisha2 would you mind updating the Sql change log with a snippet about this change? Something along the lines of |
Update SQL change log
| @@ -18,8 +18,7 @@ public enum AuditActionGroups | |||
| { | |||
| BATCH_STARTED_GROUP, | |||
| BATCH_COMPLETED_GROUP, | |||
| APPLICATION_ROLE_CHANGE_PASSWORD_GROUP, | |||
| AUDIT_CHANGE_GROUP, | |||
| APPLICATION_ROLE_CHANGE_PASSWORD_GROUP, | |||
There was a problem hiding this comment.
@ranisha2 But could there be a customer script that used this value when disabling a policy? As long as there can be no working script that uses this value, then this change is OK, otherwise, it is a breaking change, and the proper thing is to deprecate the value rather than removing it. If possible, for enable scenarios, the value would be mapped to anohter (default) value, although throwing would be OK, if that is what the service does now.
|
@markcowl @cormacpayne |
src/ResourceManager/Sql/ChangeLog.md
Outdated
| @@ -19,6 +19,8 @@ | |||
| --> | |||
| ## Current Release | |||
| * Added ability to rename database using Set-AzureRmSqlDatabase | |||
| * Fixed issue https://github.com/Azure/azure-powershell/issues/4974 | |||
| - Removed invalid AUDIT_CHANGED_GROUP value from auditing cmdlets | |||
There was a problem hiding this comment.
@cormacpayne, @markcowl Do I still need to include this?
There was a problem hiding this comment.
@ranisha2 I would change the second line to say "Providing invalid AUDIT_CHANGED_GROUP value for auditing cmdlets no longer throws an error and will be removed in an upcoming release."
| @@ -54,6 +56,15 @@ protected override SqlAuditAdapter InitModelAdapter(IAzureSubscription subscript | |||
| /// <param name="model">The model object with the data to be sent to the REST endpoints</param> | |||
| protected override DatabaseBlobAuditingSettingsModel PersistChanges(DatabaseBlobAuditingSettingsModel model) | |||
| { | |||
| if (Array.IndexOf(model.AuditActionGroup, AuditActionGroups.AUDIT_CHANGE_GROUP) > -1) | |||
There was a problem hiding this comment.
@ranisha2 is model.AuditActionGroup always going to be an initialized array?
There was a problem hiding this comment.
@cormacpayne We perform a GetPolicy request in order to override only the provided parameters.
When not provided, we'll use the saved AuditActionGroup value, which is always initialized.
| @@ -61,6 +64,15 @@ protected override SqlAuditAdapter InitModelAdapter(IAzureSubscription subscript | |||
| /// <param name="baseModel">The model object with the data to be sent to the REST endpoints</param> | |||
| protected override ServerBlobAuditingSettingsModel PersistChanges(ServerBlobAuditingSettingsModel baseModel) | |||
| { | |||
| if (Array.IndexOf(baseModel.AuditActionGroup, AuditActionGroups.AUDIT_CHANGE_GROUP) > -1) | |||
|
second on demand run: https://azuresdkci.westus2.cloudapp.azure.com/view/PowerShell/job/powershell-demand/238/ |
Description
This checklist is used to make sure that common guidelines for a pull request are followed. You can find a more complete discussion of PowerShell cmdlet best practices here.
General Guidelines
Testing Guidelines
Cmdlet Signature Guidelines
ShouldProcessand haveSupportShouldProcess=truespecified in the cmdlet attribute. You can find more information onShouldProcesshere.OutputTypeattribute if any output is produced - if the cmdlet produces no output, it should implement aPassThruparameter.Cmdlet Parameter Guidelines