Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

role assignment: support scope of management group #9321

Merged
merged 2 commits into from
May 15, 2019
Merged

role assignment: support scope of management group #9321

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
77613fd
role assignment: support scope of management group
yugangw-msft May 5, 2019
1fb6acb
update recording
yugangw-msft May 14, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
role assignment: support scope of management group
  • Loading branch information
@yugangw-msft
yugangw-msft committed May 14, 2019
commit 77613fd3014ba083449280139e138e55309d39cf
3,450 changes: 1,344 additions & 2,106 deletions ...ommand_modules/appservice/tests/latest/recordings/test_webapp_assign_system_identity.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions src/command_modules/azure-cli-role/HISTORY.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

Release History
===============
* role assignment: support scope of management group

2.6.1
+++++
* create-for-rbac: hide '--password' as the preparations to pull the plug completely in 2019 May
Expand Down
11 changes: 7 additions & 4 deletions src/command_modules/azure-cli-role/azure/cli/command_modules/role/custom.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -450,15 +450,15 @@ def _search_role_assignments(cli_ctx, assignments_client, definitions_client,
if assignee:
assignee_object_id = _resolve_object_id(cli_ctx, assignee, fallback_to_object_id=True)

# combining filters is unsupported, so we pick the best, and do limited maunal filtering
if assignee_object_id:
# always use "scope" if provided, so we can get assignments beyond subscription e.g. management groups
if scope:
assignments = list(assignments_client.list_for_scope(scope=scope, filter='atScope()'))
elif assignee_object_id:
if include_groups:
f = "assignedTo('{}')".format(assignee_object_id)
else:
f = "principalId eq '{}'".format(assignee_object_id)
assignments = list(assignments_client.list(filter=f))
elif scope:
assignments = list(assignments_client.list_for_scope(scope=scope, filter='atScope()'))
else:
assignments = list(assignments_client.list())

Expand All @@ -474,6 +474,9 @@ def _search_role_assignments(cli_ctx, assignments_client, definitions_client,
role_id = _resolve_role_id(role, scope, definitions_client)
assignments = [i for i in assignments if worker.get_role_property(i, 'role_definition_id') == role_id]

if assignee_object_id:
assignments = [i for i in assignments if worker.get_role_property(i, 'principal_id') == assignee_object_id]

return assignments


Expand Down
2,580 changes: 1,966 additions & 614 deletions ...mmand_modules/role/tests/hybrid_2018_03_01/recordings/test_assignments_for_co_admins.yaml
View file
Open in desktop

Large diffs are not rendered by default.

144 changes: 72 additions & 72 deletions ...le/tests/hybrid_2018_03_01/recordings/test_create_for_rbac_with_secret_no_assignment.yaml
View file
Open in desktop

Large diffs are not rendered by default.

952 changes: 611 additions & 341 deletions .../tests/hybrid_2018_03_01/recordings/test_create_for_rbac_with_secret_with_assignment.yaml
View file
Open in desktop

Large diffs are not rendered by default.

8,487 changes: 6,066 additions & 2,421 deletions ...cli/command_modules/role/tests/hybrid_2018_03_01/recordings/test_role_assignment_e2e.yaml
View file
Open in desktop

Large diffs are not rendered by default.

877 changes: 508 additions & 369 deletions ...ure/cli/command_modules/role/tests/latest/recordings/test_create_for_rbac_idempotent.yaml
View file
Open in desktop

Large diffs are not rendered by default.

418 changes: 155 additions & 263 deletions ..._modules/role/tests/latest/recordings/test_create_for_rbac_with_cert_with_assignment.yaml
View file
Open in desktop

Large diffs are not rendered by default.

662 changes: 346 additions & 316 deletions ...odules/role/tests/latest/recordings/test_create_for_rbac_with_secret_with_assignment.yaml
View file
Open in desktop

Large diffs are not rendered by default.

1,519 changes: 877 additions & 642 deletions ...-role/azure/cli/command_modules/role/tests/latest/recordings/test_revoke_sp_for_rbac.yaml
View file
Open in desktop

Large diffs are not rendered by default.

1,947 changes: 1,110 additions & 837 deletions ...role/azure/cli/command_modules/role/tests/latest/recordings/test_role_assignment_e2e.yaml
View file
Open in desktop

Large diffs are not rendered by default.

1,746 changes: 1,746 additions & 0 deletions ...azure/cli/command_modules/role/tests/latest/recordings/test_role_assignment_mgmt_grp.yaml
View file
Open in desktop

Large diffs are not rendered by default.

42 changes: 42 additions & 0 deletions src/command_modules/azure-cli-role/azure/cli/command_modules/role/tests/latest/test_role.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -317,6 +317,48 @@ def test_role_assignment_handle_conflicted_assignments(self, resource_group):
self.cmd('configure --default group=""')
self.cmd('ad user delete --upn-or-object-id {upn}')

@ResourceGroupPreparer(name_prefix='cli_role_assign')
@AllowLargeResponse()
def test_role_assignment_mgmt_grp(self, resource_group):
if self.run_under_service_principal():
return # this test delete users which are beyond a SP's capacity, so quit...

with mock.patch('azure.cli.command_modules.role.custom._gen_guid', side_effect=self.create_guid):
user = self.create_random_name('testuser', 15)
mgmt_grp = self.create_random_name('mgmt_grp', 15)
self.kwargs.update({
'upn': user + '@azuresdkteam.onmicrosoft.com',
'mgmt_grp': mgmt_grp
})

self.cmd('ad user create --display-name tester123 --password Test123456789 --user-principal-name {upn}')
time.sleep(15) # By-design, it takes some time for RBAC system propagated with graph object change

mgmt_grp_created = False

try:
mgmt_grp_id = self.cmd('account management-group create -n {mgmt_grp}').get_output_in_json()['id']
self.kwargs['scope'] = mgmt_grp_id
mgmt_grp_created = True
time.sleep(15) # By-design, it takes some time for RBAC system propagated with graph object change
# test role assignments on a resource group
self.cmd('role assignment create --assignee {upn} --role reader --scope {scope}',
checks=self.check('scope', self.kwargs['scope']))

self.cmd('role assignment list --assignee {upn} --role reader --scope {scope}', checks=[
self.check('length([])', 1),
self.check('[0].scope', self.kwargs['scope'])
])

self.cmd('role assignment delete --assignee {upn} --role reader --scope {scope}')

self.cmd('role assignment list --assignee {upn} --role reader --scope {scope}',
checks=self.check('length([])', 0))
finally:
if mgmt_grp_created:
self.cmd('account management-group delete -n {mgmt_grp}')
self.cmd('ad user delete --upn-or-object-id {upn}')

@ResourceGroupPreparer(name_prefix='cli_role_audit')
@AllowLargeResponse()
def test_role_assignment_audits(self, resource_group):
Expand Down