Skip to content

[Role] az role assignment create: Do not invoke Graph API if --assignee-principal-type is provided #19219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jiasli merged 1 commit into from
Aug 27, 2021
Merged

[Role] az role assignment create: Do not invoke Graph API if --assignee-principal-type is provided #19219

jiasli merged 1 commit into from
Aug 27, 2021

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Aug 13, 2021
edited
Loading

Fix #19217, Refine #17669

Symptom

--assignee-principal-type is not honored if AD Graph query for --assignee-object-id succeeds. See

for more details.

Change

Do not invoke Graph API if --assignee-principal-type is provided.

As --assignee-object-id is initially designed to bypass Graph call, we recommend the user to provide --assignee-principal-type to avoid Graph call. Otherwise if --assignee-principal-type is not provided, CLI will try best to query Graph API to auto-complete --assignee-principal-type.

Testing Guide

Create a service principal that doesn't have permission to query Graph API. Then log in with that service principal.

Specify Object ID as --assignee:

> az role assignment create --role reader --assignee 93b331d4-7f18-467e-baab-9aa6475c52eb
WARNING: Failed to query principal type for 93b331d4-7f18-467e-baab-9aa6475c52eb by invoking Graph API. If you don't have permission to query Graph API, please specify --assignee-object-id and --assignee-principal-type.
WARNING: Assuming 93b331d4-7f18-467e-baab-9aa6475c52eb as an object ID.

Specify Object ID as --assignee-object-id:

> az role assignment create --role reader --assignee-object-id 93b331d4-7f18-467e-baab-9aa6475c52eb
WARNING: RBAC service might reject creating role assignment without --assignee-principal-type in the future. Better to specify --assignee-principal-type manually.
WARNING: Failed to query --assignee-principal-type for --assignee-object-id 93b331d4-7f18-467e-baab-9aa6475c52eb by invoking Graph API.

Specify Object ID as --assignee-object-id and --assignee-principal-type:

> az role assignment create --role reader --assignee-object-id 93b331d4-7f18-467e-baab-9aa6475c52eb --assignee-principal-type ForeignGroup
<No warnings>

@jiasli jiasli requested a review from evelyn-ys as a code owner August 13, 2021 07:10
jiasli
jiasli commented Aug 13, 2021
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/custom.py

if assignee_principal_type and not assignee_object_id:
raise CLIError('usage error: --assignee-object-id GUID [--assignee-principal-type]')
raise CLIError('usage error: --assignee-object-id GUID --assignee-principal-type TYPE')
Copy link
Member Author

@jiasli jiasli Aug 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As --assignee-object-id is initially designed to bypass Graph call, we encourage the user to use --assignee-object-id along with --assignee-principal-type. Specifying --assignee-object-id without --assignee-principal-type is only for backward compatibility.

jiasli
jiasli commented Aug 13, 2021
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/custom.py
Comment on lines +168 to +170
# Try best to get principal type
logger.warning('RBAC service might reject creating role assignment without --assignee-principal-type '
'in the future. Better to specify --assignee-principal-type manually.')
Copy link
Member Author

@jiasli jiasli Aug 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Encourage the user to specify --assignee-principal-type.

@yonzhan yonzhan added this to the Aug 2021 (2021-09-07) milestone Aug 13, 2021
@yonzhan
Copy link
Collaborator

yonzhan commented Aug 13, 2021

Role

jiasli
jiasli commented Aug 27, 2021
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/custom.py
Comment on lines +1816 to +1818
logger.warning('Failed to query %s by invoking Graph API. '
'If you don\'t have permission to query Graph API, please '
'specify --assignee-object-id and --assignee-principal-type.', assignee)
Copy link
Member Author

@jiasli jiasli Aug 27, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even though --assignee accepts object ID, we want to avoid such usage by encouraging --assignee-object-id and --assignee-principal-type.

@jiasli jiasli merged commit 3c34079 into Azure:dev Aug 27, 2021
@jiasli jiasli deleted the principal-type branch August 27, 2021 09:14
@jiasli jiasli mentioned this pull request Nov 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evelyn-ys evelyn-ys evelyn-ys approved these changes

Assignees

@jiasli jiasli

Labels

None yet

Projects

None yet

Milestone

Aug 2021 (2021-09-07)

Development

Successfully merging this pull request may close these issues.

--assignee-principal-type is not honored if Graph query for --assignee-object-id succeeds

3 participants

@jiasli @yonzhan @evelyn-ys