-
Notifications
You must be signed in to change notification settings - Fork 5.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Hunts] Add hunts to Sentinel 2023-04-01-preview version #23139
[Hunts] Add hunts to Sentinel 2023-04-01-preview version #23139
Conversation
Hi, @yummyblabla Thanks for your PR. I am workflow bot for review process. Here are some small tips. Any feedback about review process or workflow bot, pls contact swagger and tools team. vscswagger@microsoft.com |
Swagger Validation Report
|
compared tags (via openapi-validator v2.0.0) | new version | base version |
---|---|---|
package-preview-2023-04 | package-preview-2023-04(4b20a3a) | package-preview-2023-04(release-Sentinel-2023-04-01-preview) |
️️✔️
Avocado succeeded [Detail] [Expand]
Validation passes for Avocado.
️️✔️
SwaggerAPIView succeeded [Detail] [Expand]
️️✔️
CadlAPIView succeeded [Detail] [Expand]
️️✔️
ModelValidation succeeded [Detail] [Expand]
Validation passes for ModelValidation.
️️✔️
SemanticValidation succeeded [Detail] [Expand]
Validation passes for SemanticValidation.
️️✔️
PrettierCheck succeeded [Detail] [Expand]
Validation passes for PrettierCheck.
️️✔️
SpellCheck succeeded [Detail] [Expand]
Validation passes for SpellCheck.
️️✔️
CadlValidation succeeded [Detail] [Expand]
Validation passes for CadlValidation.
️️✔️
PR Summary succeeded [Detail] [Expand]
Validation passes for Summary.
Swagger Generation Artifacts
|
Generated ApiView
|
Hi, @yummyblabla your PR are labelled with WaitForARMFeedback. A notification email will be sent out shortly afterwards to notify ARM review board(armapireview@microsoft.com). |
Swagger ApiDocReview check is in progress for almost a day, but logs within the check indicate that there are no issues. |
...tyinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Hunts.json
Show resolved
Hide resolved
"HuntRelationProperties": { | ||
"description": "Describes hunt relation properties", | ||
"properties": { | ||
"relatedResourceId": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please explain a bit about the scenario here ? When the user creates the huntrelation is he expected to have permissions over this related resoruce id ? How does your service get permissions over this resource ? Do you plan to include linked access checks to ensure that the user also has access to this ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When a hunt relation is created, they should already have access to the related resource id. In certain scenarios, the original resource is duplicated to prevent modifying the original. As of now, this is only a one-way linkage to the related resource, as the resources are stored differently (graph store vs cosmosdb). There may be future plans to address this issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do you ensure that they have access to the related resource id ? Do you do a linked access check : https://armwiki.azurewebsites.net/authorization/RBACLinkedAccessCheck.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the UX perspective, the user should already have access to the resource through RBAC, and they will be able to make relations PUT call with that resource's id.
From our API's point of view, we are only returning the string of the resource's id, not the resource itself. It is up to the user to make the request to that resource's API to get more information.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The issue I am trying to point out is that when the user passes in the relatedResourceId in the PUT call , that user may not have access to that particular resource id from azure RBAC, yet by running this operation they are able to influence it. To avoid this you need to add the linked access check for this resource.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even if the user does not have access to the related resource, they are not able to influence that related resource by creating it here through the PUT request. They still need to make an actual GET request to that API to get the resource.
We are only creating a one-way link to the related resource and we are storing the related resource id string. If the related resource permission's get revoked, or gets deleted, our API does not get notified of this as the relation still persists until the relation gets deleted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SO what do you do with the related resource once it gets created .. I assume there would be more to the operation than just storing it on your side ? (Note : Feel free to email me to get this resolved a bit quicker)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Signing off based on offline conversation. Team agrees to add linked access checks for the scenario.
...tyinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Hunts.json
Outdated
Show resolved
Hide resolved
Please ensure to respond feedbacks from the ARM API reviewer. When you are ready to continue the ARM API review, please remove |
Hi @yummyblabla, Your PR has some issues. Please fix the CI sequentially by following the order of
|
* Adds base for updating Microsoft.SecurityInsights from version preview/2023-03-01-preview to version 2023-04-01-preview * Updates readme * Updates API version in new specs and examples * Workspace Manager Members (#23134) * Adds base for updating Microsoft.SecurityInsights from version preview/2023-02-01-preview to version 2023-04-01-preview * Updates readme * Updates API version in new specs and examples * Workspace Manager Members * udpate pattern * Workspace manager configurations (#23133) * Adds base for updating Microsoft.SecurityInsights from version preview/2023-02-01-preview to version 2023-04-01-preview * Updates readme * Updates API version in new specs and examples * adding april configurations swagger * update pattern * prettier update * update readme * Workspace manager assignments (#23130) * Adds base for updating Microsoft.SecurityInsights from version preview/2023-02-01-preview to version 2023-04-01-preview * Updates readme * Updates API version in new specs and examples * Workspace Manager Assignments/Jobs * update readme * updated from comments * update from lint diff errors * updated descriptions * Workspace manager groups (#23135) * Adds base for updating Microsoft.SecurityInsights from version preview/2023-02-01-preview to version 2023-04-01-preview * Updates readme * Updates API version in new specs and examples * april swagger for groups * update path name & pattern * [Hunts] Add hunts to Sentinel 2023-04-01-preview version (#23139) * Add hunts files * Include update in 200 description and add defaults * Add back 201 * Update relation properties * Update example --------- Co-authored-by: Derrick Lee <derricklee@microsoft.com> * Add readonly flag to providerName property (#23259) * sentinel content hub package and template API (#23151) * commit for content template and content package API * fix issues reported by swagger lint * add 201 for put requests in template service * resolve the comments * resolve comments in packageId * resolve comments * update descriptions due to lint error (#23392) * Fix policheck issue by updating the description. (#23415) * Fix polich issue by updating the description. * update the description to fix a typo. * Release sentinel 2023 04 01 preview (#23420) * Fix polich issue by updating the description. * update the description to fix a typo. * fix policheck by updating description * rename enum name to stable version to fix cross-version breaking change failure. * fix typo (#23463) --------- Co-authored-by: rheabansal <93624991+rheabansal@users.noreply.github.com> Co-authored-by: Derrick Lee <derricklee91@gmail.com> Co-authored-by: Derrick Lee <derricklee@microsoft.com> Co-authored-by: Anat Gilenson <53407600+anat-gilenson@users.noreply.github.com> Co-authored-by: xuhumsft <116764429+xuhumsft@users.noreply.github.com> Co-authored-by: Nan Zang <nazang@microsoft.com>
* Adds base for updating Microsoft.SecurityInsights from version preview/2023-03-01-preview to version 2023-04-01-preview * Updates readme * Updates API version in new specs and examples * Workspace Manager Members (Azure#23134) * Adds base for updating Microsoft.SecurityInsights from version preview/2023-02-01-preview to version 2023-04-01-preview * Updates readme * Updates API version in new specs and examples * Workspace Manager Members * udpate pattern * Workspace manager configurations (Azure#23133) * Adds base for updating Microsoft.SecurityInsights from version preview/2023-02-01-preview to version 2023-04-01-preview * Updates readme * Updates API version in new specs and examples * adding april configurations swagger * update pattern * prettier update * update readme * Workspace manager assignments (Azure#23130) * Adds base for updating Microsoft.SecurityInsights from version preview/2023-02-01-preview to version 2023-04-01-preview * Updates readme * Updates API version in new specs and examples * Workspace Manager Assignments/Jobs * update readme * updated from comments * update from lint diff errors * updated descriptions * Workspace manager groups (Azure#23135) * Adds base for updating Microsoft.SecurityInsights from version preview/2023-02-01-preview to version 2023-04-01-preview * Updates readme * Updates API version in new specs and examples * april swagger for groups * update path name & pattern * [Hunts] Add hunts to Sentinel 2023-04-01-preview version (Azure#23139) * Add hunts files * Include update in 200 description and add defaults * Add back 201 * Update relation properties * Update example --------- Co-authored-by: Derrick Lee <derricklee@microsoft.com> * Add readonly flag to providerName property (Azure#23259) * sentinel content hub package and template API (Azure#23151) * commit for content template and content package API * fix issues reported by swagger lint * add 201 for put requests in template service * resolve the comments * resolve comments in packageId * resolve comments * update descriptions due to lint error (Azure#23392) * Fix policheck issue by updating the description. (Azure#23415) * Fix polich issue by updating the description. * update the description to fix a typo. * Release sentinel 2023 04 01 preview (Azure#23420) * Fix polich issue by updating the description. * update the description to fix a typo. * fix policheck by updating description * rename enum name to stable version to fix cross-version breaking change failure. * fix typo (Azure#23463) --------- Co-authored-by: rheabansal <93624991+rheabansal@users.noreply.github.com> Co-authored-by: Derrick Lee <derricklee91@gmail.com> Co-authored-by: Derrick Lee <derricklee@microsoft.com> Co-authored-by: Anat Gilenson <53407600+anat-gilenson@users.noreply.github.com> Co-authored-by: xuhumsft <116764429+xuhumsft@users.noreply.github.com> Co-authored-by: Nan Zang <nazang@microsoft.com>
ARM API Information (Control Plane)
MSFT employees can try out our new experience at OpenAPI Hub - one location for using our validation tools and finding your workflow.
Azure 1st Party Service can try out the Shift Left experience to initiate API design review from ADO code repo. If you are interested, may request engineering support by filling in with the form https://aka.ms/ShiftLeftSupportForm.
Changelog
Add a changelog entry for this PR by answering the following questions:
Contribution checklist (MS Employees Only):
If any further question about AME onboarding or validation tools, please view the FAQ.
ARM API Review Checklist
Otherwise your PR may be subject to ARM review requirements. Complete the following:
Check this box if any of the following apply to the PR so that the label "ARMReview" and "WaitForARMFeedback" will be added by bot to kick off ARM API Review. Missing to check this box in the following scenario may result in delays to the ARM manifest review and deployment.
-[x] To review changes efficiently, ensure you copy the existing version into the new directory structure for first commit and then push new changes, including version updates, in separate commits. You can use OpenAPIHub to initialize the PR for adding a new version. For more details refer to the wiki.
Ensure you've reviewed following guidelines including ARM resource provider contract and REST guidelines. Estimated time (4 hours). This is required before you can request review from ARM API Review board.
If you are blocked on ARM review and want to get the PR merged with urgency, please get the ARM oncall for reviews (RP Manifest Approvers team under Azure Resource Manager service) from IcM and reach out to them.
Breaking Change Review Checklist
If you have any breaking changes as defined in the Breaking Change Policy, request approval from the Breaking Change Review Board.
Action: to initiate an evaluation of the breaking change, create a new intake using the template for breaking changes. Additional details on the process and office hours are on the Breaking Change Wiki.
NOTE: To update API(s) in public preview for over 1 year (refer to Retirement of Previews)
Please follow the link to find more details on PR review process.