Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add KeyVaultAccessControlClient for data plane RBAC #13372

Merged
merged 7 commits into from
Sep 1, 2020

Conversation

chlowell
Copy link
Member

Closes #9755.

@chlowell chlowell added KeyVault Client This issue points to a problem in the data-plane of the library. labels Aug 27, 2020
:param str role_definition_id: ID of the role's definition
:param str principal_id: ID of the principal which will be assigned the role. This maps to the ID inside the
Active Directory. It can point to a user, service principal, or security group.
:rtype: RoleAssignment
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be ~azure.keyvault.administration.RoleAssignment

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sphinx links this correctly, the class is imported in this module.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh interesting, do you know for sure if microsoft docs will?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't. Trial balloon! 🎈

"""Role definition permissions.

:ivar list[str] actions: allowed actions
:ivar list[str] not_actions: denied actions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

side note: not sure if this has already been a design discussion, but I feel like denied_actions sounds better than not_actions

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, that's reasonable. I don't know whether there's been a discussion either, I just copied this from @christothes 😊

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm using denied actions as well.

assert definition.description is not None
assert definition.id is not None
assert definition.name is not None
assert len(definition.permissions)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it possible for things like permissions, name etc to assert on the value?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not without prior knowledge of the values, or another API that enables checking our deserialization (I don't see a candidate). Nothing's coming to my mind short of hardcoding what appear to be the current defaults; I'm reluctant to do that. Any ideas?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you're right, i think we can leave it for now (i can't think of anything either)

iscai-msft
iscai-msft previously approved these changes Aug 27, 2020
Copy link
Contributor

@iscai-msft iscai-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

Copy link
Member

@christothes christothes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just left some naming suggestions for consistency

# type: (str, Union[str, UUID], str, str, **Any) -> RoleAssignment
"""Create a role assignment.

:param str role_scope: scope the role assignment will apply over
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the other languages we are using a custom type to provide some context for the valid values that can be passed here ("/", "/keys", "/keys/some specific Key resource Id"). Is there a pythonic way to accomplish the same thing here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's nothing I know of in the standard library quite like .NET's Uri. Typical Python just passes strings around. I think validating the argument with a regex is the best we could do here. I think it's unlikely but not inconceivable we'd do that; for today I'll punt 🏈

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense - perhaps just some hints in the comment text would be enough.

from ._models import KeyVaultPermission, RoleAssignment, RoleDefinition


__all__ = ["ApiVersion", "KeyVaultAccessControlClient", "KeyVaultPermission", "RoleAssignment", "RoleDefinition"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regrading ApiVersion, is this the standard in Python? In JavaScript we are standardizing on serviceVersion.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it's consistent with the Python SDK.

# pylint:disable=protected-access

@distributed_trace
def create_role_assignment(self, role_scope, role_assignment_name, role_definition_id, principal_id, **kwargs):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're using just name in JavaScript. Should I change it to something like roleAssignmentName? Or perhaps we could change it to name here? I'm tempted to lean towards shorter parameters if possible.

Copy link
Contributor

@iscai-msft iscai-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚢

@chlowell chlowell merged commit 6930938 into Azure:master Sep 1, 2020
@chlowell chlowell deleted the rbac branch September 1, 2020 16:09
iscai-msft added a commit to iscai-msft/azure-sdk-for-python that referenced this pull request Sep 2, 2020
…into link_om_sample

* 'master' of https://github.com/Azure/azure-sdk-for-python: (23 commits)
  Int32 serialization (Azure#13452)
  add output to opinion mining sample (Azure#13494)
  Add Document w/ Eng Sys Checks (Azure#13492)
  update version (Azure#13495)
  Remove resources post test (Azure#13379)
  bing_id -> bing_entity_search_api_id (Azure#13491)
  [EventGrid] Read me + improve docstrings (Azure#13484)
  Build AuthenticationRecords from ADFS identity tokens (Azure#13341)
  Support Subject Name/Issuer authentication (Azure#13350)
  Add KeyVaultAccessControlClient for data plane RBAC (Azure#13372)
  [text analytics] Add redacted_text (Azure#13449)
  add python sdk sample (Azure#13338)
  [text analytics] add versionadded sphinx documentation (Azure#13450)
  [text analytics] add bing_id property to LinkedEntity class (Azure#13446)
  fix typing for paging methods (Azure#13410)
  [text analytics] add domain_filter param (Azure#13451)
  fix issue Azure#11658 for is_valid_resource_id (Azure#11709)
  added create_table_if_not_exists method to table service client (Azure#13385)
  [ServiceBus] Test and failure improvements (Azure#13345)
  Proper encoding and decoding of source URLs - Fixes special characters in source URL issue (Azure#13275)
  ...
rakshith91 pushed a commit to rakshith91/azure-sdk-for-python that referenced this pull request Sep 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Client This issue points to a problem in the data-plane of the library. KeyVault
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support Role-based Access Control (RBAC) for data plane
5 participants