[KeyVault] Add new parameter --enable-rbac-authorization during creating or updating
#12074
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -75,6 +75,8 @@ class CLIJsonWebKeyOperation(str, Enum): | |
| c.argument('enabled_for_deployment', arg_type=get_three_state_flag(), help='Allow Virtual Machines to retrieve certificates stored as secrets from the vault.') | ||
| c.argument('enabled_for_disk_encryption', arg_type=get_three_state_flag(), help='Allow Disk Encryption to retrieve secrets from the vault and unwrap keys.') | ||
| c.argument('enabled_for_template_deployment', arg_type=get_three_state_flag(), help='Allow Resource Manager to retrieve secrets from the vault.') | ||
| c.argument('enable_rbac_authorization', arg_type=get_three_state_flag(), help='Enable RBAC authorization for the vault, and all contained entities.') | ||
| c.argument('enable_soft_delete', arg_type=get_three_state_flag(), help='Enable vault deletion recovery for the vault, and all contained entities') | ||
| c.argument('enable_purge_protection', arg_type=get_three_state_flag(), help='Prevents manual purging of deleted vault, and all contained entities') | ||
|
|
||
| with self.argument_context('keyvault', arg_group='Network Rule', min_api='2018-02-14') as c: | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -318,6 +318,7 @@ def create_keyvault(cmd, client, # pylint: disable=too-many-locals | |
| enabled_for_deployment=None, | ||
| enabled_for_disk_encryption=None, | ||
| enabled_for_template_deployment=None, | ||
| enable_rbac_authorization=None, | ||
| enable_soft_delete=None, | ||
| enable_purge_protection=None, | ||
| retention_days=None, | ||
|
|
@@ -361,7 +362,7 @@ def create_keyvault(cmd, client, # pylint: disable=too-many-locals | |
| if bypass or default_action else \ | ||
| _parse_network_acls(cmd, resource_group_name, network_acls, network_acls_ips, network_acls_vnets) | ||
|
|
||
| if no_self_perms or enable_rbac_authorization: | ||
| access_policies = [] | ||
| else: | ||
| permissions = Permissions(keys=[KeyPermissions.get, | ||
|
|
@@ -417,13 +418,15 @@ def create_keyvault(cmd, client, # pylint: disable=too-many-locals | |
| access_policies = [AccessPolicyEntry(tenant_id=tenant_id, | ||
| object_id=object_id, | ||
| permissions=permissions)] | ||
|
|
||
| properties = VaultProperties(tenant_id=tenant_id, | ||
| sku=Sku(name=sku), | ||
| access_policies=access_policies, | ||
| vault_uri=None, | ||
| enabled_for_deployment=enabled_for_deployment, | ||
| enabled_for_disk_encryption=enabled_for_disk_encryption, | ||
| enabled_for_template_deployment=enabled_for_template_deployment, | ||
| enable_rbac_authorization=enable_rbac_authorization, | ||
| enable_soft_delete=enable_soft_delete, | ||
| enable_purge_protection=enable_purge_protection, | ||
| soft_delete_retention_in_days=int(retention_days)) | ||
|
|
@@ -450,6 +453,7 @@ def update_keyvault_setter(cmd, client, parameters, resource_group_name, vault_n | |
| def update_keyvault(cmd, instance, enabled_for_deployment=None, | ||
| enabled_for_disk_encryption=None, | ||
| enabled_for_template_deployment=None, | ||
| enable_rbac_authorization=None, | ||
| enable_soft_delete=None, | ||
| enable_purge_protection=None, | ||
| retention_days=None, | ||
|
|
@@ -464,6 +468,9 @@ def update_keyvault(cmd, instance, enabled_for_deployment=None, | |
| if enabled_for_template_deployment is not None: | ||
| instance.properties.enabled_for_template_deployment = enabled_for_template_deployment | ||
|
|
||
| if enable_rbac_authorization is not None: | ||
| instance.properties.enable_rbac_authorization = enable_rbac_authorization | ||
|
|
||
| if enable_soft_delete is not None: | ||
| instance.properties.enable_soft_delete = enable_soft_delete | ||
|
|
||
|
|
@@ -525,6 +532,14 @@ def set_policy(cmd, client, resource_group_name, vault_name, | |
| certificate_permissions = _permissions_distinct(certificate_permissions) | ||
| storage_permissions = _permissions_distinct(storage_permissions) | ||
|
|
||
| try: | ||
| enable_rbac_authorization = getattr(vault.properties, 'enable_rbac_authorization') | ||
| except: # pylint: disable=bare-except | ||
| pass | ||
| else: | ||
| if enable_rbac_authorization: | ||
| raise CLIError('Cannot set policies to a vault with \'--enable-rbac-authorization\' specified') | ||
|
|
||
| # Find the existing policy to set | ||
| policy = next((p for p in vault.properties.access_policies | ||
| if object_id.lower() == p.object_id.lower() and | ||
|
|
@@ -650,6 +665,15 @@ def delete_policy(cmd, client, resource_group_name, vault_name, object_id=None, | |
| object_id = _object_id_args_helper(cmd.cli_ctx, object_id, spn, upn) | ||
| vault = client.get(resource_group_name=resource_group_name, | ||
| vault_name=vault_name) | ||
|
|
||
| try: | ||
| enable_rbac_authorization = getattr(vault.properties, 'enable_rbac_authorization') | ||
| except: # pylint: disable=bare-except | ||
| pass | ||
| else: | ||
| if enable_rbac_authorization: | ||
| raise CLIError('Cannot delete policies to a vault with \'--enable-rbac-authorization\' specified') | ||
|
|
||
| prev_policies_len = len(vault.properties.access_policies) | ||
| vault.properties.access_policies = [p for p in vault.properties.access_policies if | ||
| vault.properties.tenant_id.lower() != p.tenant_id.lower() or | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Long summary is not shown in CLI reference. May you can move it to short summary.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@qwordy Good point, but I think it's ok to keep it as long summary, for the docs display issue, we'd better push docs team to display our long summaries as well. Now at least we can see the long summary using
-h.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK. No problem.