Skip to content

[Role] az role assignment list/delete: Add --assignee-object-id #30469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jiasli merged 1 commit into from
Apr 9, 2025
Merged

[Role] az role assignment list/delete: Add --assignee-object-id #30469

jiasli merged 1 commit into from
Apr 9, 2025

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Dec 5, 2024
edited
Loading

Related command
az role assignment list
az role assignment delete

Description
Close #30436
Fix #20349, #30428, #30672

With more encouragement on managed identity and more strict permission/access control, supporting --assignee-object-id to bypass Graph query is a necessary feature for role assignment’s management experience.

Similar to #5273 which added --assignee-object-id to az role assignment create to bypass Graph query, this PR adds --assignee-object-id to az role assignment list/delete.

Testing Guide

az role assignment list --assignee
az role assignment list --assignee-object-id
az role assignment delete --assignee
az role assignment delete --assignee-object-id

History Notes

[Role] az role assignment list/delete: Add --assignee-object-id argument. Use this argument instead of --assignee to bypass Microsoft Graph query

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Dec 5, 2024
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️acs
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.9
️✔️ams
️✔️latest
️✔️3.12
️✔️3.9
️✔️apim
️✔️latest
️✔️3.12
️✔️3.9
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.9
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️aro
️✔️latest
️✔️3.12
️✔️3.9
️✔️backup
️✔️latest
️✔️3.12
️✔️3.9
️✔️batch
️✔️latest
️✔️3.12
️✔️3.9
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.9
️✔️billing
️✔️latest
️✔️3.12
️✔️3.9
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.9
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.9
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.9
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.9
️✔️config
️✔️latest
️✔️3.12
️✔️3.9
️✔️configure
️✔️latest
️✔️3.12
️✔️3.9
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.9
️✔️container
️✔️latest
️✔️3.12
️✔️3.9
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.9
️✔️core
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.9
️✔️databoxedge
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️dls
️✔️latest
️✔️3.12
️✔️3.9
️✔️dms
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.9
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.9
️✔️find
️✔️latest
️✔️3.12
️✔️3.9
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.9
️✔️identity
️✔️latest
️✔️3.12
️✔️3.9
️✔️iot
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️keyvault
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️lab
️✔️latest
️✔️3.12
️✔️3.9
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️maps
️✔️latest
️✔️3.12
️✔️3.9
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.9
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.9
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.9
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.9
️✔️network
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.9
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.9
️✔️profile
️✔️latest
️✔️3.12
️✔️3.9
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.9
️✔️redis
️✔️latest
️✔️3.12
️✔️3.9
️✔️relay
️✔️latest
️✔️3.12
️✔️3.9
️✔️resource
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️role
️✔️latest
️✔️3.12
️✔️3.9
️✔️search
️✔️latest
️✔️3.12
️✔️3.9
️✔️security
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.9
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.9
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.9
️✔️sql
️✔️latest
️✔️3.12
️✔️3.9
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.9
️✔️storage
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.9
️✔️telemetry
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️util
️✔️latest
️✔️3.12
️✔️3.9
️✔️vm
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Dec 5, 2024
edited
Loading

⚠️AzureCLI-BreakingChangeTest
⚠️role
rule cmd_name rule_message suggest_message
⚠️ 1006 - ParaAdd role assignment delete cmd role assignment delete added parameter assignee_object_id
⚠️ 1006 - ParaAdd role assignment list cmd role assignment list added parameter assignee_object_id

@yonzhan
Copy link
Collaborator

yonzhan commented Dec 5, 2024

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions
Copy link

github-actions bot commented Dec 5, 2024

⚠️Your changes in this PR will be released on Jan 14, 2025 due to CCOA (extend to Jan 6, 2025)

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Dec 5, 2024
@jiasli
Copy link
Member Author

jiasli commented Dec 5, 2024

In az role assignment list, --assignee is also used to back fill classic administrators:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Lines 244 to 245 in 1d63a5f

if include_classic_administrators:
results += _backfill_assignments_for_co_admins(cmd.cli_ctx, authorization_client, assignee)

Classic administrator support should be dropped: #29470

@jiasli
Copy link
Member Author

jiasli commented Dec 5, 2024
edited
Loading

In az role assignment list, even if --assignee-object-id is provided, this command still queries Graph for the assignee information:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Lines 268 to 270 in 464a79c

if principal_ids:
try:
principals = _get_object_stubs(graph_client, principal_ids)

I feel this behavior should be skipped if --assignee-object-id is provided, or we can introduce another argument such as --no-graph-query.

Update: #30693 added --fill-principal-name to bypass Graph query.

@jiasli jiasli mentioned this pull request Jan 22, 2025
Merged
@jiasli jiasli force-pushed the assignee_object_id branch from 1d63a5f to 0088515 Compare March 27, 2025 06:33
jiasli
jiasli commented Mar 27, 2025
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/custom.py
Comment on lines +243 to +246
if assignee_object_id and include_classic_administrators:
raise CLIError('Usage error: --assignee-object-id cannot be used with --include-classic-administrators. '
'Use --assignee instead.')
Copy link
Member Author

@jiasli jiasli Mar 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Classic admin assignments use email_address (UPN), instead of principal ID:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Line 479 in 7fbe2fe

co_admins = [x for x in co_admins if assignee == x.email_address.lower()]

When --assignee-object-id is provided, it is necessary to convert object ID to UPN:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Lines 471 to 478 in 7fbe2fe

if is_guid(assignee):
try:
result = _get_object_stubs(graph_client, [assignee])
if not result:
return []
assignee = _get_displayable_name(result[0]).lower()
except ValueError:
pass

This will trigger Graph call which is against the initial purpose.

Moreover, as --include-classic-administrator will be removed soon (#29470). Updating the legacy code is worthless.

@jiasli jiasli reopened this Mar 28, 2025
@jiasli jiasli changed the title [Role] az role assignment list/delete: Support --assignee-object-id [Role] az role assignment list/delete: Add --assignee-object-id to bypass Graph query Mar 28, 2025
jiasli
jiasli commented Mar 31, 2025
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/custom.py
Comment on lines -239 to -242
'''
:param include_groups: include extra assignments to the groups of which the user is a
member(transitively).
'''
Copy link
Member Author

@jiasli jiasli Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

include_groups should be declared in _params.py, not here. #602 (comment)

@jiasli jiasli changed the title [Role] az role assignment list/delete: Add --assignee-object-id to bypass Graph query [Role] az role assignment list/delete: Add --assignee-object-id Apr 3, 2025
@jiasli jiasli mentioned this pull request Apr 3, 2025
Merged
jiasli
jiasli commented Apr 3, 2025
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/tests/latest/test_role.py
self.not_exists("[0].principalName")
])
# Manually verify the recording file that no HTTP request to https://graph.microsoft.com is made
self.cmd('role assignment delete --scope {rg_id} --assignee-object-id {uami_object_id}')
Copy link
Member Author

@jiasli jiasli Apr 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

az role assignment delete doesn't support --all, so it can only query role assignments via

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Lines 582 to 586 in d4147a7

if scope:
f = 'atScope()' # atScope() excludes role assignments at subscopes
if assignee_object_id and include_groups:
f = f + " and assignedTo('{}')".format(assignee_object_id)
assignments = list(assignments_client.list_for_scope(scope=scope, filter=f))

This still makes the recording big. #31179 will solve this.

jiasli
jiasli commented Apr 3, 2025
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/tests/latest/test_role.py
Comment on lines +728 to +729
self.cmd('role assignment list --all --assignee-object-id {uami_object_id} '
'--fill-role-definition-name false --fill-principal-name false',
Copy link
Member Author

@jiasli jiasli Apr 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using --all --assignee-object-id reduces az role assignment list's recording file size (#31152 (comment)).

@jiasli jiasli marked this pull request as ready for review April 3, 2025 08:43
@jiasli jiasli requested review from bebound and evelyn-ys as code owners April 3, 2025 08:43
@jiasli jiasli force-pushed the assignee_object_id branch 2 times, most recently from bbfb909 to 933506c Compare April 3, 2025 10:43
@jiasli jiasli force-pushed the assignee_object_id branch from 933506c to 56123d6 Compare April 7, 2025 07:22
jiasli
jiasli commented Apr 8, 2025
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/custom.py
except Exception as ex: # pylint: disable=broad-except
if _error_caused_by_role_assignment_exists(ex): # for idempotent
return list_role_assignments(cmd, assignee=assignee, role=role, scope=scope)[0]
return list_role_assignments(cmd, assignee_object_id=object_id, role=role, scope=scope)[0]
Copy link
Member Author

@jiasli jiasli Apr 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using object_id instead of assignee saves one Graph query for az role assignment create.

@jiasli jiasli merged commit 7472adf into Azure:dev Apr 9, 2025
53 checks passed
@jiasli jiasli deleted the assignee_object_id branch April 9, 2025 08:58
This was referenced Apr 9, 2025
Closed
Closed
Closed
@jiasli jiasli mentioned this pull request May 30, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bebound bebound bebound approved these changes

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@yonzhan yonzhan Awaiting requested review from yonzhan

Assignees

@jiasli jiasli

Labels

Auto-Assign Auto assign by bot RBAC az role

Projects

None yet

Milestone

May 2025 (2025-05-06)

4 participants

@jiasli @yonzhan @bebound @evelyn-ys