[Synapse] Update role assignment/definition related cmdlets #17476
Conversation
sunsw1994
changed the title
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
|
Synapse |
src/azure-cli/azure/cli/command_modules/synapse/operations/accesscontrol.py
Outdated
Show resolved
Hide resolved
src/azure-cli/azure/cli/command_modules/synapse/operations/accesscontrol.py
Show resolved
Hide resolved
| # workspaces/{workspaceName}/bigDataPools/{bigDataPoolName} | ||
| scope = "workspaces/" + workspace_name + "/" + item_type + "/" + item | ||
| else: | ||
| scope = "workspaces/" + workspace_name |
There was a problem hiding this comment.
I just want to mention that these two may be not equal from my memory: 1.scope = "workspaces/" + workspace_name 2. scope = null
There was a problem hiding this comment.
Hi @zesluo As far as my understand, the default scope is workspaces/{workspace_name}, we can discuss and confirm with @idear1203 .
Thanks for throwing it out.
src/azure-cli/azure/cli/command_modules/synapse/operations/accesscontrol.py
Show resolved
Hide resolved
|
Hi @jsntcy Could you help to review and merge this PR for Synapse RBAC commands. Thanks a lot. |
| - name: Create a role assignment using service principal name. | ||
| text: |- | ||
| az synapse role assignment create --workspace-name testsynapseworkspace \\ | ||
| --role "Sql Admin" --assignee sp_name |
There was a problem hiding this comment.
does Sql Admin still work?
There was a problem hiding this comment.
No, now Synapse is using new role name.
Synapse SQL Administrator
Synapse Apache Spark Administrator
...
There was a problem hiding this comment.
In this way, it is breaking change to existing customers and we should try to avoid such breaking.
To not break customers, you should try to make previous definition work and add deprecation info to redirect to new definition.
There was a problem hiding this comment.
Can we just allow this breaking change considering that the module is still in preview? Now Synapse moves to new names, we don't want to allow the old names.
There was a problem hiding this comment.
Adding breaking change description at History Notes
[Synapse] BREAKING CHANGE: az synapse role assignment create: Role names at old version are not allowed, Sql Admin, Apache Spark Admin, Workspace Admin
There was a problem hiding this comment.
I see. According to the telemetry, there is no much usage for this command as it is in preview. So we could accept the breaking change this time. Please note that we need to avoid breaking change as possible as we can in future design.
| class PrincipalType(str, Enum): | ||
| user = "User" | ||
| group = "Group" | ||
| service_principal = "ServicePrincipal" | ||
|
|
||
|
|
||
| class ItemType(str, Enum): | ||
| bigDataPools = "bigDataPools" | ||
| scopePools = "scopePools" | ||
| integrationRuntimes = "integrationRuntimes" | ||
| credentials = "credentials" | ||
| linkedServices = "linkedServices" |
There was a problem hiding this comment.
@Juliehzl I think this not belong to SDK's scope, we define these item type for CLI using friendly. User can pass item type and CLI code will use this parameter to generate scope which is defined in SDK and received by service.
PrincipalType and ItemType 's purpose is only to limit the user's input
@idear1203 Do we have a plan to move it to SDK?
There was a problem hiding this comment.
Currently we don't have such definitions in SDK. This is a good suggestion.
| def list_role_assignments(cmd, workspace_name, role=None, assignee=None, assignee_object_id=None, | ||
| scope=None, item=None, item_type=None): | ||
| if bool(assignee) and bool(assignee_object_id): | ||
| raise CLIError('usage error: --assignee STRING | --assignee-object-id GUID') |
There was a problem hiding this comment.
Consider the following error type
azure-cli/src/azure-cli-core/azure/cli/core/azclierror.py
Lines 152 to 154 in 3bff786
azure-cli/src/azure-cli-core/azure/cli/core/azclierror.py
Lines 157 to 161 in 3bff786
| if bool(assignee) and bool(assignee_object_id): | ||
| raise CLIError('usage error: --assignee STRING | --assignee-object-id GUID') | ||
|
|
||
| if bool(item) != bool(item_type): |
| g.custom_show_command('show', 'get_role_definition') | ||
|
|
||
| with self.command_group('synapse role scope', synapse_role_definitions_sdk, | ||
| custom_command_type=get_custom_sdk('accesscontrol', None)) as g: |
There was a problem hiding this comment.
You could declare your client factory here and don't need to define in every fuction.
src/azure-cli/azure/cli/command_modules/synapse/operations/accesscontrol.py
Outdated
Show resolved
Hide resolved
src/azure-cli/azure/cli/command_modules/synapse/operations/accesscontrol.py
Outdated
Show resolved
Hide resolved
src/azure-cli/azure/cli/command_modules/synapse/operations/accesscontrol.py
Outdated
Show resolved
Hide resolved
…ue to server side issue.
| "If the assignee is a principal id, make sure the corresponding principal is created " | ||
| "with 'az ad sp create --id {assignee}'.".format(assignee=assignee)) | ||
|
|
||
| if len(result) > 1: |
There was a problem hiding this comment.
Add breaking change description at History Notes:
[Synapse] BREAKING CHANGE: az synapse role assignment create: When --assignee can't uniquely determine the principal object, the command will raise error instead of adding a role assignment for the uncertain principal object.
|
@evelyn-ys @Juliehzl Thanks for your comments, these are helpful! I have fixed them and updated history notes with known breaking change information, could you help to review it and merge this PR. Hope we can catch up the latest release. Thanks a lot! |
7 participants
Description
Update 'az synapse role' commands to support new role base access control feature.
Testing Guide
az synapse role scope -h
az synapse role assignment -h
az synapse role definition -h
History Notes
[Synapse] az synapse role scope list: List all scopes synapse supports.
[Synapse] az synapse role assignment create/list/delete: Adding --scope/--item-type/--item arguments to support manage role assignments based on scope.
[Synapse] az synapse role assignment create/list/delete: Adding --assignee-object-id argument, it will bypass Graph API and uniquely determine principal object instead of deducing principal object using --assignee argument.
[Synapse] BREAKING CHANGE: az synapse role assignment create: Role names at old version are not allowed, Sql Admin, Apache Spark Admin, Workspace Admin
[Synapse] BREAKING CHANGE: az synapse role assignment create: When --assignee argument can't uniquely determine the principal object, the command will raise error instead of adding a role assignment for the uncertain principal object.
This checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.