Skip to content

{Role} az role assignment create: Show warning if --scope argument is not specified#24755

Merged
jiasli merged 3 commits intoAzure:devfrom
jiasli:role-assignment-scope
Feb 24, 2023
Merged

{Role} az role assignment create: Show warning if --scope argument is not specified#24755
jiasli merged 3 commits intoAzure:devfrom
jiasli:role-assignment-scope

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Nov 28, 2022
edited
Loading

Description
Similar to #20965
A temporary warning for #24753

For az role assignment create, --scope defaults to the subscription. Without explicit consent from the user on the --scope, this behavior is considered Elevation of Privilege.

This PR adds a warning if --scope is not specified:

> az role assignment create --assignee 5963f50c-7c43-405c-af7e-53294de76abd --role Reader --resource-group clitest.rgizxewh7npwdc63xpadmmi73hvq5ftcza2acf5wiyulxnjy5fgujpvvqll63kndkru
Starting from Azure CLI 2.47.0, --scopes argument will become required for creating role assignments. Please explicitly specify --scopes.
{
  "canDelegate": null,
  "condition": null,
  "conditionVersion": null,
  "description": null,
  "id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/clitest.rgizxewh7npwdc63xpadmmi73hvq5ftcza2acf5wiyulxnjy5fgujpvvqll63kndkru/providers/Microsoft.Authorization/roleAssignments/3a36df35-93c4-4e5b-b605-61e9f9a0f1fc",
  "name": "3a36df35-93c4-4e5b-b605-61e9f9a0f1fc",
  "principalId": "5963f50c-7c43-405c-af7e-53294de76abd",
  "principalName": "admin2@AzureSDKTeam.onmicrosoft.com",
  "principalType": "User",
  "resourceGroup": "clitest.rgizxewh7npwdc63xpadmmi73hvq5ftcza2acf5wiyulxnjy5fgujpvvqll63kndkru",
  "roleDefinitionId": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "roleDefinitionName": "Reader",
  "scope": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/clitest.rgizxewh7npwdc63xpadmmi73hvq5ftcza2acf5wiyulxnjy5fgujpvvqll63kndkru",
  "type": "Microsoft.Authorization/roleAssignments"
}

Even if --resource-group or --subscription is specified, we still show this warning because as described in #24753, we may drop --resource-group and --subscription, so --scope should always be used as the unified, all-in-one argument for specifying the role assignment scope.

Related PR: #25283

History Notes

[Role] az role assignment create: Show warning if --scope argument is not specified: --scope argument will become required for creating a role assignment in the breaking change release of the fall of 2023. Please explicitly specify --scope.

@ghost ghost requested a review from yonzhan November 28, 2022 06:44
@ghost ghost added the Auto-Assign Auto assign by bot label Nov 28, 2022
@ghost ghost assigned jiasli Nov 28, 2022
@ghost ghost added this to the Nov 2022 (2022-12-06) milestone Nov 28, 2022
@ghost ghost added the RBAC az role label Nov 28, 2022
@yonzhan
Copy link
Collaborator

yonzhan commented Nov 28, 2022

Role

@jiasli jiasli force-pushed the role-assignment-scope branch from c30e32b to db424a7 Compare February 17, 2023 09:22
jiasli
jiasli commented Feb 17, 2023
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/custom.py Outdated
"The output includes credentials that you must protect. Be sure that you do not include these credentials in "
"your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli")

SCOPE_WARNING = "In a future release, --scope argument will become required for creating a role assignment. " \
Copy link
Member Author

@jiasli jiasli Feb 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to #20965, we can't give an exact version yet.

Copy link
Contributor

@dbradish-microsoft dbradish-microsoft Feb 23, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jiasli , but can't we at least give the anticipated breaking change (BK) window as are BKs are moving to a bi-annual schedule?

Copy link
Contributor

@dcaro dcaro Feb 23, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should also be consistent with the content on line 688.
We can mention something like "breaking change of Fall of 2023".

@jiasli jiasli marked this pull request as ready for review February 17, 2023 09:23
jiasli
jiasli commented Feb 22, 2023
View reviewed changes
dcaro
dcaro reviewed Feb 22, 2023
View reviewed changes
Copy link
Contributor

@dcaro dcaro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jiasli just a suggestion about the name.
We need to give a more specific timeline.

src/azure-cli/azure/cli/command_modules/role/_help.py Outdated
helps['role assignment create'] = """
type: command
short-summary: Create a new role assignment for a user, group, or service principal.
long-summary: In a future release, --scope argument will become required for creating a role assignment. Please explicitly specify --scope.
Copy link
Contributor

@dcaro dcaro Feb 22, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jiasli We should be specific about the timeline.

Copy link
Contributor

@dcaro dcaro Feb 23, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
long-summary: In a future release, --scope argument will become required for creating a role assignment. Please explicitly specify --scope.
long-summary: --scope argument will become required for creating a role assignment in the breaking change release of the fall of 2023. Please explicitly specify --scope.

dbradish-microsoft
dbradish-microsoft requested changes Feb 23, 2023
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/custom.py Outdated
"The output includes credentials that you must protect. Be sure that you do not include these credentials in "
"your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli")

SCOPE_WARNING = "In a future release, --scope argument will become required for creating a role assignment. " \
Copy link
Contributor

@dbradish-microsoft dbradish-microsoft Feb 23, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jiasli , but can't we at least give the anticipated breaking change (BK) window as are BKs are moving to a bi-annual schedule?

@jiasli @dbradish-microsoft
Update src/azure-cli/azure/cli/command_modules/role/_help.py
d046a3b 
Co-authored-by: Delora Bradish <dbradish@microsoft.com>
@jiasli
Copy link
Member Author

jiasli commented Feb 24, 2023

We will also need to refine the conceptual doc: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli

dcaro
dcaro approved these changes Feb 24, 2023
View reviewed changes
Copy link
Contributor

@dcaro dcaro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jiasli jiasli changed the title {Role} az role assignment create: Show warning when scope defaults to subscription {Role} az role assignment create: Show warning when --scope argument is not specified Feb 24, 2023
@jiasli jiasli changed the title {Role} az role assignment create: Show warning when --scope argument is not specified {Role} az role assignment create: Show warning if --scope argument is not specified Feb 24, 2023
@jiasli jiasli merged commit 00fe3e5 into Azure:dev Feb 24, 2023
@jiasli jiasli deleted the role-assignment-scope branch February 24, 2023 03:40
@dcaro dcaro mentioned this pull request Feb 24, 2023
Merged
3 tasks
avgale pushed a commit to avgale/azure-cli that referenced this pull request Aug 24, 2023
@jiasli
{Role} az role assignment create: Show warning if --scope argumen…
86c9a42 
…t is not specified (Azure#24755)
@jiasli jiasli mentioned this pull request Oct 20, 2023
Merged
@jiasli jiasli mentioned this pull request Dec 5, 2024
Draft
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dcaro dcaro dcaro approved these changes

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@yonzhan yonzhan yonzhan approved these changes

@dbradish-microsoft dbradish-microsoft dbradish-microsoft approved these changes

@calvinhzy calvinhzy Awaiting requested review from calvinhzy

Assignees

@jiasli jiasli

Labels

Auto-Assign Auto assign by bot RBAC az role

Projects

None yet

Milestone

Feb 2023 (2023-03-07)

Development

Successfully merging this pull request may close these issues.

5 participants

@jiasli @yonzhan @dcaro @evelyn-ys @dbradish-microsoft