diff --git a/src/aks-preview/HISTORY.rst b/src/aks-preview/HISTORY.rst index d46e587af80..3968dbb79b1 100644 --- a/src/aks-preview/HISTORY.rst +++ b/src/aks-preview/HISTORY.rst @@ -11,6 +11,10 @@ To release a new version, please select a new version number (usually plus 1 to Pending +++++++ + +18.0.0b42 ++++++++ +* Fix role assignment failure when using azure-cli version >= `2.77.0`. * Add option `Flatcar` to `--os-sku` for `az aks nodepool add` and `az aks nodepool update`. 18.0.0b41 diff --git a/src/aks-preview/azext_aks_preview/_roleassignments.py b/src/aks-preview/azext_aks_preview/_roleassignments.py index e555f501971..ec9161bc457 100644 --- a/src/aks-preview/azext_aks_preview/_roleassignments.py +++ b/src/aks-preview/azext_aks_preview/_roleassignments.py @@ -3,103 +3,8 @@ # Licensed under the MIT License. See License.txt in the project root for license information. # -------------------------------------------------------------------------------------------- -import time -import uuid - -from azure.cli.command_modules.acs._client_factory import ( - get_auth_management_client, +# pylint: disable=unused-import +from azure.cli.command_modules.acs._roleassignments import ( + add_role_assignment, + add_role_assignment_executor, ) -from azure.cli.command_modules.acs._graph import resolve_object_id -from azure.cli.command_modules.acs._roleassignments import build_role_scope, resolve_role_id -from azure.cli.core.azclierror import AzCLIError -from azure.cli.core.profiles import ResourceType, get_sdk -from azure.core.exceptions import HttpResponseError, ResourceExistsError -from knack.log import get_logger - -logger = get_logger(__name__) - -# pylint: disable=protected-access - - -# temp workaround for the breaking change caused by default API version bump of the auth SDK -def add_role_assignment(cmd, role, service_principal_msi_id, is_service_principal=True, delay=2, scope=None): - return _add_role_assignment_new(cmd, role, service_principal_msi_id, is_service_principal, delay, scope) - - -# TODO(fuming): remove and replaced by import from azure.cli.command_modules.acs once dependency bumped to 2.47.0 -def _add_role_assignment_executor_new(cmd, role, assignee, resource_group_name=None, scope=None, resolve_assignee=True): - factory = get_auth_management_client(cmd.cli_ctx, scope) - assignments_client = factory.role_assignments - definitions_client = factory.role_definitions - - # FIXME: is this necessary? - if assignments_client._config is None: - raise AzCLIError("Assignments client config is undefined.") - - scope = build_role_scope(resource_group_name, scope, assignments_client._config.subscription_id) - - # XXX: if role is uuid, this function's output cannot be used as role assignment defintion id - # ref: https://github.com/Azure/azure-cli/issues/2458 - role_id = resolve_role_id(role, scope, definitions_client) - - # If the cluster has service principal resolve the service principal client id to get the object id, - # if not use MSI object id. - object_id = resolve_object_id(cmd.cli_ctx, assignee) if resolve_assignee else assignee - - assignment_name = uuid.uuid4() - custom_headers = None - - RoleAssignmentCreateParameters = get_sdk( - cmd.cli_ctx, - ResourceType.MGMT_AUTHORIZATION, - "RoleAssignmentCreateParameters", - mod="models", - operation_group="role_assignments", - ) - if cmd.supported_api_version(min_api="2018-01-01-preview", resource_type=ResourceType.MGMT_AUTHORIZATION): - parameters = RoleAssignmentCreateParameters(role_definition_id=role_id, principal_id=object_id, - principal_type=None) - return assignments_client.create(scope, assignment_name, parameters, headers=custom_headers) - - # for backward compatibility - RoleAssignmentProperties = get_sdk( - cmd.cli_ctx, - ResourceType.MGMT_AUTHORIZATION, - "RoleAssignmentProperties", - mod="models", - operation_group="role_assignments", - ) - properties = RoleAssignmentProperties(role_definition_id=role_id, principal_id=object_id) - return assignments_client.create(scope, assignment_name, properties, headers=custom_headers) - - -# TODO(fuming): remove and replaced by import from azure.cli.command_modules.acs once dependency bumped to 2.47.0 -def _add_role_assignment_new(cmd, role, service_principal_msi_id, is_service_principal=True, delay=2, scope=None): - # AAD can have delays in propagating data, so sleep and retry - hook = cmd.cli_ctx.get_progress_controller(True) - hook.add(message="Waiting for AAD role to propagate", value=0, total_val=1.0) - logger.info("Waiting for AAD role to propagate") - for x in range(0, 10): - hook.add(message="Waiting for AAD role to propagate", value=0.1 * x, total_val=1.0) - try: - # TODO: break this out into a shared utility library - _add_role_assignment_executor_new( - cmd, - role, - service_principal_msi_id, - scope=scope, - resolve_assignee=is_service_principal, - ) - break - except HttpResponseError as ex: - if isinstance(ex, ResourceExistsError) or "The role assignment already exists." in ex.message: - break - logger.info(ex.message) - except Exception as ex: # pylint: disable=broad-except - logger.error(str(ex)) - time.sleep(delay + delay * x) - else: - return False - hook.add(message="AAD role propagation done", value=1.0, total_val=1.0) - logger.info("AAD role propagation done") - return True diff --git a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py index 6d2b9875b35..48e2672709d 100644 --- a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py +++ b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py @@ -73,7 +73,7 @@ ) from azext_aks_preview._roleassignments import ( add_role_assignment, - _add_role_assignment_executor_new + add_role_assignment_executor ) from azext_aks_preview.agentpool_decorator import ( AKSPreviewAgentPoolAddDecorator, @@ -212,7 +212,7 @@ def external_functions(self) -> SimpleNamespace: ] = ensure_azure_monitor_profile_prerequisites # temp workaround for the breaking change caused by default API version bump of the auth SDK external_functions["add_role_assignment"] = add_role_assignment - external_functions["_add_role_assignment_executor_new"] = _add_role_assignment_executor_new + external_functions["add_role_assignment_executor"] = add_role_assignment_executor # azure container storage functions external_functions[ "perform_enable_azure_container_storage_v1" @@ -4227,7 +4227,7 @@ def postprocessing_after_mc_created(self, cluster: ManagedCluster) -> None: except Exception as e: # pylint: disable=broad-except logger.warning("Could not get signed in user: %s", str(e)) else: - self.context.external_functions._add_role_assignment_executor_new( # type: ignore # pylint: disable=protected-access + self.context.external_functions.add_role_assignment_executor( # type: ignore # pylint: disable=protected-access self.cmd, "Azure Kubernetes Service RBAC Cluster Admin", user["id"], diff --git a/src/aks-preview/setup.py b/src/aks-preview/setup.py index 242af1fbaf4..8139b2cb340 100644 --- a/src/aks-preview/setup.py +++ b/src/aks-preview/setup.py @@ -9,7 +9,7 @@ from setuptools import find_packages, setup -VERSION = "18.0.0b41" +VERSION = "18.0.0b42" CLASSIFIERS = [ "Development Status :: 4 - Beta",