[CosmosDB] Mongo RBAC (Azure#4389)

* Mongo RBAC * Fixing Lint issues * Fixing help Lint issue
YuanyuanNi · Feb 8, 2022 · 9dac199 · 9dac199
1 parent fdcdf1b
commit 9dac199
Show file tree

Hide file tree

Showing 10 changed files with 3,604 additions and 6 deletions.
diff --git a/src/cosmosdb-preview/HISTORY.rst b/src/cosmosdb-preview/HISTORY.rst
@@ -2,6 +2,10 @@
 
 Release History
 ===============
+0.13.0
+++++++
+* Create and manage Role Definitions and User Definitions for enforcing data plane RBAC on Cosmos DB MongoDB accounts
+
 0.12.0
 ++++++
 * Modify parameter names for Ldap support in Managed Instance for Apache Cassandra.

diff --git a/src/cosmosdb-preview/azext_cosmosdb_preview/_client_factory.py b/src/cosmosdb-preview/azext_cosmosdb_preview/_client_factory.py
@@ -24,3 +24,7 @@ def cf_cassandra_cluster(cli_ctx, _):
 
 def cf_cassandra_data_center(cli_ctx, _):
     return cf_cosmosdb_preview(cli_ctx).cassandra_data_centers
+
+
+def cf_mongo_db_resources(cli_ctx, _):
+    return cf_cosmosdb_preview(cli_ctx).mongo_db_resources
diff --git a/src/cosmosdb-preview/azext_cosmosdb_preview/_help.py b/src/cosmosdb-preview/azext_cosmosdb_preview/_help.py
@@ -233,3 +233,159 @@
 type: command
 short-summary: Return if the given cosmosdb graph resource exist.
 """
+
+helps['cosmosdb mongodb role'] = """
+type: group
+short-summary: Manage Azure Cosmos DB Mongo role resources.
+"""
+
+helps['cosmosdb mongodb role definition'] = """
+type: group
+short-summary: Manage Azure Cosmos DB Mongo role definitions.
+"""
+
+helps['cosmosdb mongodb role definition create'] = """
+type: command
+short-summary: Create a Mongo DB role definition under an Azure Cosmos DB account.
+examples:
+  - name: Create a Mongo DB role definition under an Azure Cosmos DB account using a JSON string.
+    text: |
+      az cosmosdb mongodb role definition create --account-name MyAccount --resource-group MyResourceGroup --body '{
+        "Id": "MyDB.My_Read_Only_Role",
+        "RoleName": "My_Read_Only_Role",
+        "Type": "CustomRole",
+        "DatabaseName": "MyDB",
+        "Privileges": [{
+          "Resource": {
+              "Db": "MyDB",
+              "Collection": "MyCol"
+            },
+            "Actions": [
+              "insert",
+              "find"
+            ]
+        }],
+        "Roles": [
+          {
+            "Role": "myInheritedRole",
+            "Db": "MyTestDb"
+          }
+        ]
+      }'
+  - name: Create a Mongo DB role definition under an Azure Cosmos DB account using a JSON file.
+    text: az cosmosdb mongodb role definition create --account-name MyAccount --resource-group MyResourceGroup --body @mongo-role-definition.json
+"""
+
+helps['cosmosdb mongodb role definition delete'] = """
+type: command
+short-summary: Delete a CosmosDb MongoDb role definition under an Azure Cosmos DB account.
+examples:
+  - name: Delete a Mongo role definition under an Azure Cosmos DB account.
+    text: az cosmosdb mongodb role definition delete --account-name MyAccount --resource-group MyResourceGroup --id be79875a-2cc4-40d5-8958-566017875b39
+"""
+
+helps['cosmosdb mongodb role definition exists'] = """
+type: command
+short-summary: Check if an Azure Cosmos DB MongoDb role definition exists.
+examples:
+  - name: Check if an Azure Cosmos DB MongoDb role definition exists.
+    text: az cosmosdb mongodb role definition exists --account-name MyAccount --resource-group MyResourceGroup --id be79875a-2cc4-40d5-8958-566017875b39
+"""
+
+helps['cosmosdb mongodb role definition list'] = """
+type: command
+short-summary: List all MongoDb role definitions under an Azure Cosmos DB account.
+examples:
+  - name: List all Mongodb role definitions under an Azure Cosmos DB account.
+    text: az cosmosdb mongodb role definition list --account-name MyAccount --resource-group MyResourceGroup
+"""
+
+helps['cosmosdb mongodb role definition show'] = """
+type: command
+short-summary: Show the properties of a MongoDb role definition under an Azure Cosmos DB account.
+examples:
+  - name: Show the properties of a MongoDb role definition under an Azure Cosmos DB account.
+    text: az cosmosdb mongodb role definition show --account-name MyAccount --resource-group MyResourceGroup --id be79875a-2cc4-40d5-8958-566017875b39
+"""
+
+helps['cosmosdb mongodb role definition update'] = """
+type: command
+short-summary: Update a MongoDb role definition under an Azure Cosmos DB account.
+examples:
+  - name: Update a MongoDb role definition under an Azure Cosmos DB account.
+    text: az cosmosdb mongodb role definition update --account-name MyAccount --resource-group MyResourceGroup --body @mongo-role-definition.json
+"""
+
+helps['cosmosdb mongodb user'] = """
+type: group
+short-summary: Manage Azure Cosmos DB Mongo user resources.
+"""
+
+helps['cosmosdb mongodb user definition'] = """
+type: group
+short-summary: Manage Azure Cosmos DB Mongo user definitions.
+"""
+
+helps['cosmosdb mongodb user definition create'] = """
+type: command
+short-summary: Create a Mongo DB user definition under an Azure Cosmos DB account.
+examples:
+  - name: Create a Mongo DB user definition under an Azure Cosmos DB account using a JSON string.
+    text: |
+      az cosmosdb mongodb user definition create --account-name MyAccount --resource-group MyResourceGroup --body '{
+        "Id": "MyDB.MyUName",
+        "UserName": "MyUName",
+        "Password": "MyPass",
+        "DatabaseName": "MyDB",
+        "CustomData": "TestCustomData",
+        "Mechanisms": "SCRAM-SHA-256",
+        "Roles": [
+          {
+            "Role": "myReadRole",
+            "Db": "MyDB"
+          }
+        ]
+      }'
+  - name: Create a Mongo DB user definition under an Azure Cosmos DB account using a JSON file.
+    text: az cosmosdb mongodb user definition create --account-name MyAccount --resource-group MyResourceGroup --body @mongo-user-definition.json
+"""
+
+helps['cosmosdb mongodb user definition delete'] = """
+type: command
+short-summary: Delete a CosmosDb MongoDb user definition under an Azure Cosmos DB account.
+examples:
+  - name: Delete a Mongo user definition under an Azure Cosmos DB account.
+    text: az cosmosdb mongodb user definition delete --account-name MyAccount --resource-group MyResourceGroup --id be79875a-2cc4-40d5-8958-566017875b39
+"""
+
+helps['cosmosdb mongodb user definition exists'] = """
+type: command
+short-summary: Check if an Azure Cosmos DB MongoDb user definition exists.
+examples:
+  - name: Check if an Azure Cosmos DB MongoDb user definition exists.
+    text: az cosmosdb mongodb user definition exists --account-name MyAccount --resource-group MyResourceGroup --id be79875a-2cc4-40d5-8958-566017875b39
+"""
+
+helps['cosmosdb mongodb user definition list'] = """
+type: command
+short-summary: List all MongoDb user definitions under an Azure Cosmos DB account.
+examples:
+  - name: List all Mongodb user definitions under an Azure Cosmos DB account.
+    text: az cosmosdb mongodb user definition list --account-name MyAccount --resource-group MyResourceGroup
+"""
+
+helps['cosmosdb mongodb user definition show'] = """
+type: command
+short-summary: Show the properties of a MongoDb user definition under an Azure Cosmos DB account.
+examples:
+  - name: Show the properties of a MongoDb user definition under an Azure Cosmos DB account.
+    text: az cosmosdb mongodb user definition show --account-name MyAccount --resource-group MyResourceGroup --id be79875a-2cc4-40d5-8958-566017875b39
+"""
+
+helps['cosmosdb mongodb user definition update'] = """
+type: command
+short-summary: Update a MongoDb user definition under an Azure Cosmos DB account.
+examples:
+  - name: Update a MongoDb user definition under an Azure Cosmos DB account.
+    text: az cosmosdb mongodb user definition update --account-name MyAccount --resource-group MyResourceGroup --body @mongo-user-definition.json
+"""
diff --git a/src/cosmosdb-preview/azext_cosmosdb_preview/_params.py b/src/cosmosdb-preview/azext_cosmosdb_preview/_params.py
@@ -4,20 +4,48 @@
 # --------------------------------------------------------------------------------------------
 # pylint: disable=line-too-long, too-many-statements
 
+from azext_cosmosdb_preview.actions import (
+    InvokeCommandArgumentsAddAction)
+from argcomplete.completers import FilesCompleter
 
 from azext_cosmosdb_preview._validators import (
     validate_gossip_certificates,
     validate_client_certificates,
     validate_server_certificates,
     validate_seednodes,
-    validate_node_count)
+    validate_node_count,
+    validate_mongo_role_definition_body,
+    validate_mongo_role_definition_id,
+    validate_mongo_user_definition_body,
+    validate_mongo_user_definition_id)
 
-from azext_cosmosdb_preview.actions import (
-    InvokeCommandArgumentsAddAction)
+MONGO_ROLE_DEFINITION_EXAMPLE = """--body "{
+\\"Id\\": \\"be79875a-2cc4-40d5-8958-566017875b39\\",
+\\"RoleName\\": \\"MyRWRole\\",
+\\"Type\\": \\"CustomRole\\"
+\\"DatabaseName\\": \\"MyDb\\",
+\\"Privileges\\": [ {\\"Resource\\": {\\"Db\\": \\"MyDB\\",\\"Collection\\": \\"MyCol\\"},\\"Actions\\": [\\"insert\\",\\"find\\"]}],
+\\"Roles\\": [ {\\"Role\\": \\"myInheritedRole\\",\\"Db\\": \\"MyTestDb\\"}]
+}"
+"""
+
+MONGO_USER_DEFINITION_EXAMPLE = """--body "{
+\\"Id\\": \\"be79875a-2cc4-40d5-8958-566017875b39\\",
+\\"UserName\\": \\"MyUserName\\",
+\\"Password\\": \\"MyPass\\",
+\\"CustomData\\": \\"MyCustomData\\",
+\\"Mechanisms\\": \\"SCRAM-SHA-256\\"
+\\"DatabaseName\\": \\"MyDb\\",
+\\"Roles\\": [ {\\"Role\\": \\"myReadRole\\",\\"Db\\": \\"MyDb\\"}]
+}"
+"""
 
 
 def load_arguments(self, _):
     from azure.cli.core.commands.parameters import tags_type, get_enum_type, get_three_state_flag
+    from knack.arguments import CLIArgumentType
+
+    account_name_type = CLIArgumentType(options_list=['--account-name', '-a'], help="Cosmosdb account name.")
 
     # Managed Cassandra Cluster
     for scope in [
@@ -116,3 +144,15 @@ def load_arguments(self, _):
             c.argument('service_name', options_list=['--name', '-n'], help="Service Name.")
             c.argument('instance_count', options_list=['--count', '-c'], help="Instance Count.")
             c.argument('instance_size', options_list=['--size'], help="Instance Size. Possible values are: Cosmos.D4s, Cosmos.D8s, Cosmos.D16s etc")
+
+    # Mongo role definition
+    with self.argument_context('cosmosdb mongodb role definition') as c:
+        c.argument('account_name', account_name_type, id_part=None)
+        c.argument('mongo_role_definition_id', options_list=['--id', '-i'], validator=validate_mongo_role_definition_id, help="Unique ID for the Mongo Role Definition.")
+        c.argument('mongo_role_definition_body', options_list=['--body', '-b'], validator=validate_mongo_role_definition_body, completer=FilesCompleter(), help="Role Definition body with Id (Optional for create), Type (Default is CustomRole), DatabaseName, Privileges, Roles.  You can enter it as a string or as a file, e.g., --body @mongo-role_definition-body-file.json or " + MONGO_ROLE_DEFINITION_EXAMPLE)
+
+    # Mongo user definition
+    with self.argument_context('cosmosdb mongodb user definition') as c:
+        c.argument('account_name', account_name_type, id_part=None)
+        c.argument('mongo_user_definition_id', options_list=['--id', '-i'], validator=validate_mongo_user_definition_id, help="Unique ID for the Mongo User Definition.")
+        c.argument('mongo_user_definition_body', options_list=['--body', '-b'], validator=validate_mongo_user_definition_body, completer=FilesCompleter(), help="User Definition body with Id (Optional for create), UserName, Password, DatabaseName, CustomData, Mechanisms, Roles.  You can enter it as a string or as a file, e.g., --body @mongo-user_definition-body-file.json or " + MONGO_USER_DEFINITION_EXAMPLE)