Skip to content

[Role] az role assignment create/update: Support --description, --condition and --condition-version#14958

Merged
jiasli merged 4 commits intoAzure:devfrom
jiasli:role-assignment
Sep 15, 2020
Merged

[Role] az role assignment create/update: Support --description, --condition and --condition-version#14958
jiasli merged 4 commits intoAzure:devfrom
jiasli:role-assignment

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Aug 28, 2020

Close #14552

az role assignment create

Design

New arguments to add to the existing arguments:

Arguments
    --description             : Description of the role assignment.
    --condition               : Condition under which the user can be granted permission
    --condition-version       : Version of the condition syntax

Examples

# line breaks for legibility
az role assignment create --assignee admin4@AzureSDKTeam.onmicrosoft.com
                          --role reader
                          --scope /subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/rg1
                          --description "Role assignment foo to check on bar"
                          --condition "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] stringEquals 'foo'"
                          --condition-version "2.0"

Sample Output:

{
  "canDelegate": null,
  "condition": "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] stringEquals 'foo'",
  "conditionVersion": "2.0",
  "description": "Role assignment foo to check on bar",
  "id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/rg1/providers/Microsoft.Authorization/roleAssignments/d89f022c-f12f-4fb5-9d90-afb9c1f4fd83",
  "name": "d89f022c-f12f-4fb5-9d90-afb9c1f4fd83",
  "principalId": "182c8534-f413-487c-91a3-7addc80e35d5",
  "principalType": "User",
  "resourceGroup": "rg1",
  "roleDefinitionId": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "scope": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/rg1",
  "type": "Microsoft.Authorization/roleAssignments"
}

Checks

Description

  • description is a string.
  • If description is empty, replace with null.

Condition

  • condition is a string.
  • If condition is empty replace with null.

Condition-Version

  • condition-version is a string.
  • condition-version must be > 1.0.
    • The service already has this check: The specified role assignment ConditionVersion '0.1' is not supported.
  • If condition-version is empty and condition is set, condition-version defaults to 2.0.
  • If condition-version is set, condition must be set as well.

az role assignment update

Design

Command
    az role assignment update : update an existing role assignment for a user, group, or service
    principal.

Arguments
    --role-assignment   [Required] :  Description of a role as JSON, or a path to a file containing a JSON description.

Example

az role assignment update --role-assignment '{
  "canDelegate": null,
  "condition": "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] stringEquals '"'"'foo'"'"'",
  "conditionVersion": "2.0",
  "description": "Role assignment foo to check on bar",
  "id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/rg1/providers/Microsoft.Authorization/roleAssignments/d89f022c-f12f-4fb5-9d90-afb9c1f4fd83",
  "name": "d89f022c-f12f-4fb5-9d90-afb9c1f4fd83",
  "principalId": "182c8534-f413-487c-91a3-7addc80e35d5",
  "principalType": "User",
  "resourceGroup": "rg1",
  "roleDefinitionId": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "scope": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/rg1",
  "type": "Microsoft.Authorization/roleAssignments"
}'

# or
az role assignment update --role-assignment "C:\Path\to\JSON\roleAssignment.json

Sample Output:

{
  "canDelegate": null,
  "condition": "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] stringEquals 'foo'",
  "conditionVersion": "2.0",
  "description": "Role assignment foo to check on bar",
  "id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/rg1/providers/Microsoft.Authorization/roleAssignments/d89f022c-f12f-4fb5-9d90-afb9c1f4fd83",
  "name": "d89f022c-f12f-4fb5-9d90-afb9c1f4fd83",
  "principalId": "182c8534-f413-487c-91a3-7addc80e35d5",
  "principalType": "User",
  "resourceGroup": "rg1",
  "roleDefinitionId": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "scope": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/rg1",
  "type": "Microsoft.Authorization/roleAssignments"
}

Checks

Same as for role assignment create with some small exceptions/additions:

  • Only description, condition and conditionVersion can be modified.
    • This requires lots of efforts for diffing the original REST response and user input and should be implemented on the service side. NOT IMPLEMENTED in CLI yet.
  • if no role assignment exists with the indicated properties, throw an exception indicating as such.
  • conditionVersion cannot be downgraded to 1.X.

Testing Guide

az group create -l westus -n rg1

az role assignment create --assignee admin4@AzureSDKTeam.onmicrosoft.com --role reader --scope /subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/rg1 --description "Role assignment foo to check on bar" --condition "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] stringEquals 'foo'" --condition-version "2.0"

az role assignment update --role-assignment '{
  "canDelegate": null,
  "condition": "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] stringEquals '"'"'foo'"'"'",
  "conditionVersion": "2.0",
  "description": "Role assignment foo to check on bar",
  "id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/rg1/providers/Microsoft.Authorization/roleAssignments/9e8947f9-a813-4003-bbdd-98fa57d4dca0",
  "name": "9e8947f9-a813-4003-bbdd-98fa57d4dca0",
  "principalId": "182c8534-f413-487c-91a3-7addc80e35d5",
  "principalName": "admin4@AzureSDKTeam.onmicrosoft.com",
  "principalType": "User",
  "resourceGroup": "rg1",
  "roleDefinitionId": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "roleDefinitionName": "Reader",
  "scope": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/rg1",
  "type": "Microsoft.Authorization/roleAssignments"
}'

az role assignment delete -g rg1

az role assignment create --assignee admin4@AzureSDKTeam.onmicrosoft.com --role reader --scope /subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/rg1 --description "Role assignment foo to check on bar" --condition "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] stringEquals 'foo'" --condition-version "2.0" > output.json

az role assignment update --role-assignment output.json

az group delete -n rg1

This was referenced Aug 28, 2020
Merged
Merged
@jiasli
Copy link
Member Author

jiasli commented Aug 28, 2020
edited
Loading

This PR should be merged after #14461 and #14317 are merged.

@yonzhan yonzhan added this to the S175 - For Ignite milestone Aug 28, 2020
@yonzhan
Copy link
Collaborator

yonzhan commented Aug 28, 2020

Role

qwordy
qwordy reviewed Sep 10, 2020
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/_help.py Outdated
Copy link
Member

@qwordy qwordy Sep 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add parameters like --can-deleagate so that users can see help messages.

Copy link
Member Author

@jiasli jiasli Sep 11, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Taking JSON as an input is asked by the service team. I had the same suggestion as you to expose explicit arguments but the suggestion was rejected.

Copy link
Member

@qwordy qwordy Sep 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CLI is yours. You fix it. Be brave. Go ahead.

qwordy
qwordy reviewed Sep 14, 2020
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/_help.py
- name: Create role assignment for an assignee.
text: az role assignment create --assignee sp_name --role a_role
- name: Create role assignment for an assignee with description and condition. (Only for 2020-04-01-preview API version and later.)
text: >-
Copy link
Member

@qwordy qwordy Sep 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the difference between >- and |?

Copy link
Contributor

@bim-msft bim-msft Sep 14, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@qwordy
image
In short: >- will replace all single \n to whitespace (especially, the final \n will be removed), and combine double \n to one.

Copy link
Member Author

@jiasli jiasli Sep 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I use >- to make the code more readable purposefully.

arrownj
arrownj reviewed Sep 14, 2020
View reviewed changes
bim-msft
bim-msft approved these changes Sep 14, 2020
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/_help.py
- name: Create role assignment for an assignee.
text: az role assignment create --assignee sp_name --role a_role
- name: Create role assignment for an assignee with description and condition. (Only for 2020-04-01-preview API version and later.)
text: >-
Copy link
Contributor

@bim-msft bim-msft Sep 14, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@qwordy
image
In short: >- will replace all single \n to whitespace (especially, the final \n will be removed), and combine double \n to one.

jiasli
jiasli commented Sep 15, 2020
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/_params.py
c.argument('include_classic_administrators', arg_type=get_three_state_flag(), help='list default role assignments for subscription classic administrators, aka co-admins')
c.argument('description', min_api='2020-04-01-preview', help='Description of role assignment.')
c.argument('condition', min_api='2020-04-01-preview', help='Condition under which the user can be granted permission.')
c.argument('condition_version', min_api='2020-04-01-preview', help='Version of the condition syntax. If --condition is specified without --condition-version, default to 2.0.')
Copy link
Member Author

@jiasli jiasli Sep 15, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about adding this default value in the help message ?

Added. I didn't use the built-in default mechanism because it is a conditional default - only when --condition is specified.

jsntcy
jsntcy approved these changes Sep 15, 2020
View reviewed changes
Copy link
Member

@jsntcy jsntcy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@jiasli jiasli merged commit 5f40c5e into Azure:dev Sep 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsntcy jsntcy jsntcy approved these changes

@fengzhou-msft fengzhou-msft Awaiting requested review from fengzhou-msft

@haroldrandom haroldrandom Awaiting requested review from haroldrandom

@Juliehzl Juliehzl Awaiting requested review from Juliehzl

@mmyyrroonn mmyyrroonn Awaiting requested review from mmyyrroonn

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms

+3 more reviewers

@arrownj arrownj arrownj approved these changes

@bim-msft bim-msft bim-msft approved these changes

@qwordy qwordy qwordy approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jiasli jiasli

Labels

None yet

Projects

None yet

Milestone

S175 - For Ignite

Development

Successfully merging this pull request may close these issues.

Request to add new properties to Role Assignment objects and operations

6 participants

@jiasli @yonzhan @arrownj @bim-msft @qwordy @jsntcy