Skip to content

{Role} az ad sp create-for-rbac: Show warning when --scopes defaults to subscription #20965

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jiasli merged 1 commit into from
Jan 18, 2022
Merged

{Role} az ad sp create-for-rbac: Show warning when --scopes defaults to subscription #20965

jiasli merged 1 commit into from
Jan 18, 2022

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Jan 13, 2022

Description
A temporary warning for #20806

For az ad sp create-for-rbac, when --role is given, --scope defaults to the subscription:

> az ad sp create-for-rbac --role Reader
...
Creating 'Reader' role assignment under scope '/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590'
...
{
  "appId": "9eb7e5f0-7a0b-4601-9d72-3f438fcace9f",
  "displayName": "azure-cli-2021-12-22-08-39-11",
  "password": "",
  "tenant": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a"
}

Without explicit consent from the user on the --scope, this behavior is considered Elevation of Privilege.

This PR adds a warning when --role is specified but --scopes is not:

> az ad sp create-for-rbac --role contributor
In a future release, --scopes argument will become required for creating a role asssignment. Please explicitly specify --scopes.
Creating 'contributor' role assignment under scope '/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590'
...
{
  "appId": "c337fa52-41d4-4234-8cf3-ac37b83f72c6",
  "displayName": "azure-cli-2022-01-13-06-17-22",
  "password": "",
  "tenant": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a"
}

@jiasli
Copy link
Member Author

jiasli commented Jan 13, 2022
edited
Loading

Removing the default value of --scopes will unify the behavior of az ad sp create-for-rbac and az vm/vmss create. az vm/vmss create currently does the opposite: it requires --scope but defaults --role to Contributor.

@yonzhan yonzhan added this to the Jan 2022 (2022-02-08) milestone Jan 13, 2022
jiasli
jiasli commented Jan 14, 2022
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/custom.py
Comment on lines +1410 to +1412
if role and not scopes:
logger.warning(SCOPE_WARNING)
scopes = ['/subscriptions/' + role_client.config.subscription_id]
Copy link
Member Author

@jiasli jiasli Jan 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unlike #20924, the default value assignment is done in our own custom function, instead of letting knack assign the default value and set is_default.

@zhoxing-ms
Copy link
Contributor

zhoxing-ms commented Jan 14, 2022

Just out of curiosity, ask another related question:

If users do not pass in --role but only the --scopes, the --scopes will be ignored directly without any prompt, right?
If so, does this meet expectations?

@dbradish-microsoft
Copy link
Contributor

dbradish-microsoft commented Jan 14, 2022

@yonzhan / @chasewilson , Why do we have hidden defaults anywhere? Can't we handle all defaults with a set default command like az param-persist or az account set? We just modified 126 articles removing dependence on the default contributor role but we did not add a --scope parameter. If --scope is going to continue to default, I feel the warning is a good idea.

I do like @zhoxing-ms 's question and would like to put in my vote for a 2nd warning message. Although it doesn't seem logical to --scope a role that isn't being created, it's bound to be attempted.

@jiasli
Copy link
Member Author

jiasli commented Jan 17, 2022

Just out of curiosity, ask another related question:

If users do not pass in --role but only the --scopes, the --scopes will be ignored directly without any prompt, right? If so, does this meet expectations?

In the future, this usage will trigger an error.

@jiasli jiasli merged commit 2e6c6a8 into Azure:dev Jan 18, 2022
@jiasli jiasli deleted the scopes branch January 18, 2022 03:33
@jiasli jiasli mentioned this pull request Feb 16, 2022
Merged
This was referenced Nov 28, 2022
Merged
Merged
@jiasli jiasli mentioned this pull request Dec 5, 2024
Draft
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@zhoxing-ms zhoxing-ms zhoxing-ms approved these changes

@calvinhzy calvinhzy calvinhzy approved these changes

@yonzhan yonzhan yonzhan approved these changes

@chasewilson chasewilson Awaiting requested review from chasewilson

@dbradish-microsoft dbradish-microsoft Awaiting requested review from dbradish-microsoft

Assignees

@jiasli jiasli

Labels

None yet

Projects

None yet

Milestone

Jan 2022 (2022-02-08)

Development

Successfully merging this pull request may close these issues.

6 participants

@jiasli @zhoxing-ms @dbradish-microsoft @evelyn-ys @calvinhzy @yonzhan