[Synapse] Add customer-managed key related cmdlets#16224
Conversation
|
Synapse |
|
Existing ci errors are not caused by the code change from this PR. |
|
|
||
| def create_workspace(cmd, client, resource_group_name, workspace_name, storage_account, file_system, | ||
| sql_admin_login_user, sql_admin_login_password, location, enable_managed_virtual_network=None, | ||
| sql_admin_login_user, sql_admin_login_password, location, key_name="default", key_identifier=None, enable_managed_virtual_network=None, |
There was a problem hiding this comment.
just curious here:
As you know key identifier contains the key name, if customer only provides the key_identifier and maybe the key name in key identifier is not "default", what will happen?
There was a problem hiding this comment.
The key name is the display name at synapse workspace, different from the name of key-vault.
There was a problem hiding this comment.
The key name is the display name at synapse workspace, different from the name of key-vault.
But the parameter is --key-name, maybe customer will think it is the key vault name, do you think it is a little confused?
@idear1203 How do you like?
I suggest to change the parameter name and give a clear description.
There was a problem hiding this comment.
I think the current name --key-name is fine. It it different from --key-vault-name
In reply to: 540663549 [](ancestors = 540663549)
|
Could you please also update the related test cases? |
| c.argument('sql_admin_login_password', options_list=['--sql-admin-login-password', '-p'], | ||
| help='The sql administrator login password.') | ||
| c.argument('tags', arg_type=tags_type) | ||
| c.argument('key_name', help='The workspace key name.') |
There was a problem hiding this comment.
The workspace key name. [](start = 41, length = 23)
Shall we give more concrete description to make it clear that it is the workspace display key name instead of the name of key vault?
|
@jsntcy Could you please help to review this PR? Thanks. |
| identity = ManagedIdentity(type=identity_type) | ||
| account_url = "https://{}.dfs.{}".format(storage_account, cmd.cli_ctx.cloud.suffixes.storage_endpoint) | ||
| default_data_lake_storage = DataLakeStorageAccountDetails(account_url=account_url, filesystem=file_system) | ||
| if str(key_identifier).endswith('/'): |
There was a problem hiding this comment.
key_identifier [](start = 11, length = 14)
If key_identifier is none, will logic here fail or not?
There was a problem hiding this comment.
str(None).endswith('/') will return false.
There was a problem hiding this comment.
I think it can be removed. Do you think so?
There was a problem hiding this comment.
Agree to remove the check logic. It seems not quite necessary. Server side should determine whether to accept backslash.
| encryption = EncryptionDetails(cmk=CustomerManagedKeyDetails(key=workspace_key_detail)) | ||
| managed_virtual_network_settings = None | ||
| if enable_managed_virtual_network: | ||
| managed_virtual_network_settings = ManagedVirtualNetworkSettings(preventDataExfiltration=True, allowed_aad_tenant_ids_for_linking=allowed_aad_tenant_ids) |
There was a problem hiding this comment.
preventDataExfiltration=True [](start = 73, length = 28)
I remember from portal, this property can be False
There was a problem hiding this comment.
Will add a parameter to indicate whether enable data exfiltration.
--enable_data_exfiltration is fine?
| def update_workspace(cmd, client, resource_group_name, workspace_name, sql_admin_login_password=None, | ||
| tags=None, no_wait=False): | ||
| workspace_patch_info = WorkspacePatchInfo(tags=tags, sql_admin_login_password=sql_admin_login_password) | ||
| allowed_aad_tenant_ids=None, disable_all_allowed_aad_tenant_ids=None, tags=None, key_name=None, key_identifier=None, no_wait=False): |
There was a problem hiding this comment.
allowed_aad_tenant_ids=None, disable_all_allowed_aad_tenant_ids=None, [](start = 21, length = 69)
Is it possible to combine these two parameters? For example, is it possible for users to pass an empty list (v.s. None value) to CLI?
There was a problem hiding this comment.
allowed_aad_tenant_ids is a List type defined in CLI, so it can't be Empty when user add it as parameter.
Can we design it like "az synapse workspace update --allowed_aad_tenant_ids None", if allowed_aad_tenant_ids list contains "None", will disable all tenant ids.
if allowed_aad_tenant_ids is not None and "None" in allowed_aad_tenant_ids:
allowed_aad_tenant_ids = []
There was a problem hiding this comment.
@jsntcy , could you please provide some insights on this? What is the general guidelines for users to update a list to none or empty.
There was a problem hiding this comment.
I think you should use another command to clear the list, for example az synapse workspace disable_allowed_aad_tenant_ids to do that.
There was a problem hiding this comment.
Find a similar cmdlet:
nargs='*' instead of nargs='+' , user can pass an empty list
| g.custom_command('list', 'list_workspaces') | ||
| g.custom_command('create', 'create_workspace', supports_no_wait=True) | ||
| g.custom_command('activate', 'activate_workspace', client_factory=cf_synapse_client_cmk_factory, supports_no_wait=True) | ||
| g.custom_command('update', 'update_workspace', supports_no_wait=True) |
There was a problem hiding this comment.
For what purpose that you make it a separate command rather than integrating it into az synapse workspace update?
There was a problem hiding this comment.
az synapse workspace update using Workspaces_Update SDK
az synapse workspace activate using Workspaces_CreateOrUpdate SDK
There was a problem hiding this comment.
I think there must be some reasons that you use different SDK update method. Could you please share more details?
There was a problem hiding this comment.
Sorry didn't descript it clearly.
activate_workspace using the SDK defined at Key.json(CreateOrUpdate)
g.custom_command('activate', 'activate_workspace', client_factory=cf_synapse_client_cmk_factory, supports_no_wait=True)
update_workspace using the SDK defined at workspace.json(Update)
That means these two cmdlets will use different client to send request. We can put activate_workspace 's logic into az synapse workspace key update. But I don't think it may be more clear. How do you design at Powershll?
There was a problem hiding this comment.
Will move it to az synapse workspace key update according to offline discussion.
|
hi @jsntcy, please help to merge this PR if that looks good to you. Thanks a lot. |
|
Hi @Juliehzl ,please help to merge this PR if that looks good to you. Thanks a lot. |
5 participants
Description
Add some new commands to manage customer-managed key under synapse workspace.
Testing Guide
az synapse workspace create -h
az synapse workspace key -h
az synapse workspace managed-identity -h
History Notes
[Synapse] az synapse workspace create : Add key-identifier parameter to support to create workspace using customer-managed key.
[Synapse] az synapse workspace key: Add CRUD cmdlets to support to manage keys under specified synapse workspace.
[Synapse] az synapse workspace managed-identity: Add cmdlets to support CRUD managed identity to sql access setting.
[Synapse] az synapse workspace: Add data exfiltration protection support, add allowed_aad_tenant_ids parameter.
This checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.