Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RBAC] BREAKING CHANGE: fix issue #11883 az role assignment create scope default to subscription if empty #11977

Closed
wants to merge 6 commits into from
Closed

[RBAC] BREAKING CHANGE: fix issue #11883 az role assignment create scope default to subscription if empty #11977

wants to merge 6 commits into from

Conversation

arrownj
Copy link
Contributor

@arrownj arrownj commented Jan 29, 2020

This checklist is used to make sure that common guidelines for a pull request are followed.

  • The PR has modified HISTORY.rst describing any customer-facing, functional changes. Note that this does not include changes only to help content. (see Modifying change log).

  • I adhere to the Command Guidelines.

jiasli
jiasli reviewed Jan 29, 2020
View reviewed changes
src/azure-cli/HISTORY.rst
@@ -3,6 +3,10 @@
Release History
===============

**RBAC**

* [BREAKING CHANGE] Fix issue #11883 az role assignment create scope default to subscription if empty
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please follow the history convention like:

Fix #11883: az role assignment create: scope defaults to subscription if not specified

jiasli
jiasli reviewed Jan 29, 2020
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/_validators.py
namespace.resource_group_name = None # drop configured defaults

if not namespace.show_all and not namespace.scope and not namespace.resource_group_name:
raise CLIError('usage error: please specify at least one of "--all", "--scope" and "--resource-group".')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We usually use single quotes in error messages.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I searched similar error message in our code base, seems we usually use nothing in such case. The error message will be at least one of --scope and --resource-group in the new PR.

jiasli
jiasli reviewed Jan 29, 2020
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/_validators.py
Comment on lines +103 to +104
if not namespace.show_all and not namespace.scope and not namespace.resource_group_name:
raise CLIError('usage error: please specify at least one of "--all", "--scope" and "--resource-group".')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why the behavior of az role assignment list is also changed? There doesn't seem to be any security concern in this command.

Also, it is also a breaking change to force one of --all, --scope and -resource-group, which needs to go to the history.

jiasli
jiasli reviewed Jan 29, 2020
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/_validators.py
Comment on lines +99 to +101
resource_group = namespace.resource_group_name
if namespace.scope and resource_group and getattr(resource_group, 'is_default', None):
namespace.resource_group_name = None # drop configured defaults
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a duplicate of L90-L92. I'd suggested to extract it to a function like drop_default_group.

@jiasli
Copy link
Member

jiasli commented Jan 29, 2020

I think the security concern in the original issue #11883 is when --scope is specified but with an empty argument: --scope "". Therefore, we don't need to change the behavior (fallback to subscription scope) when --scope is not specified.

We can error out here:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Line 493 in 85f04e7

if scope:

The error can be something like:

    if scope == "":
        raise CLIError('Invalid scope. Please use --help to view the valid format.')

One interesting thing I noticed is that the role assignment REST API does support empty scope. In that case, the create call is

PUT https://management.azure.com/providers/Microsoft.Authorization/roleAssignments/a5b85ff6-2fbe-454d-bbc3-6a90f9c54d62?api-version=2018-09-01-preview

And the response is

  {
    "canDelegate": null,
    "id": "/providers/Microsoft.Authorization/roleAssignments/a5b85ff6-2fbe-454d-bbc3-6a90f9c54d62",
    "name": "a5b85ff6-2fbe-454d-bbc3-6a90f9c54d62",
    "principalId": "",
    "principalName": "",
    "principalType": "User",
    "roleDefinitionId": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "roleDefinitionName": "Contributor",
    "scope": "/",
    "type": "Microsoft.Authorization/roleAssignments"
  }

Notice "scope": "/". But this behavior is not documented.

Anyway, let's error out for empty scope "" for now and discuss it furtherly later.

@jiasli jiasli closed this Jan 29, 2020
@arrownj arrownj mentioned this pull request Jan 29, 2020
Merged
2 tasks
@arrownj arrownj deleted the fix/role_assignment branch July 29, 2020 07:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jiasli jiasli jiasli left review comments

@qianwens qianwens Awaiting requested review from qianwens

@Juliehzl Juliehzl Awaiting requested review from Juliehzl

Assignees
No one assigned
Labels
do-not-merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@arrownj @jiasli