{Role} Remove code for classic events

[jiasli]

Context

az role assignment list-changelogs (introduced by #5551) calls Activity Logs - List to get all activity logs with $filter=resourceProvider eq Microsoft.Authorization.

Then it uses

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Line 422 in 00c59c2

'scope': '/subscriptions/' + client.config.subscription_id,

to retrieve the subscription ID from mgmt client for Classic Administrator events. This operation is not permitted by Track 2 SDKs, as config now becomes a protected _config attribute.

Classic Administrator events

Classic Administrator create/delete operation generates 2 types of logs:

ARM event with http_request attribute

CLI currently doesn't show this type, because operation_name of the event is 'Microsoft.Authorization/classicadministrators/write' and the event will be filtered out:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Line 353 in 00c59c2

if (op.lower().startswith('microsoft.authorization/roleassignments') and e.status.value == 'Succeeded'):

"offline" event without http_request attribute

CLI currently doesn't show this type either, because item.event_name.value should be 'Microsoft.Authorization/classicAdministrators/write' instead.

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Line 327 in 00c59c2

elif item.event_name and item.event_name.value.lower() == 'classicadministrators':

Conclusion

Therefore, Classic Administrator event will not be shown by the current Azure CLI at all. Adding them back will instead cause a BREAKING CHANGE, as Classic Administrator event has different structure as ARM role assignment event:

Classic Administrator event:

{
    "caller": "Subscription Admin",
    "principalId": null,
    "principalName": "[email protected]",
    "principalType": "User",
    "roleDefinitionId": null,
    "roleName": "CoAdmin",
    "scope": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590",
    "scopeName": "0b1f6471-1bf0-4dda-aec3-cb9272f09590",
    "scopeType": "Subscription",
    "timestamp": "2021-01-19T07:10:56.932598+00:00"
}

ARM role assignment event:

{
    "action": "Revoked",  // Classic Administrator event doesn't have this field
    "caller": "[email protected]",
    "principalId": "5e914469-5dcf-4f7d-b2b6-ba14e926daba",
    "principalName": "http://azure-cli-2020-12-04-08-00-43",
    "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c",
    "roleName": "Contributor",
    "scope": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590",
    "scopeName": "0b1f6471-1bf0-4dda-aec3-cb9272f09590",
    "scopeType": "Subscription",
    "timestamp": "2021-01-19T05:38:43.228672+00:00"
}

Also Microsoft.Authorization/classicAdministrators/delete event doesn't have adminEmail field. principalName will be left as null.

{
    "caller": "Subscription Admin",
    "principalId": null,
    "principalName": null,
    "principalType": "User",
    "roleDefinitionId": null,
    "roleName": null,
    "scope": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590",
    "scopeName": "0b1f6471-1bf0-4dda-aec3-cb9272f09590",
    "scopeType": "Subscription",
    "timestamp": "2021-01-19T07:13:15.805340+00:00"
}

To query it, we have to call Classic Administrators - List which will of course add more complexity.

Changes

Since Azure CLI doesn't support creating Classic Administrator assignment or showing Classic Administrator events, this PR removes the logic for Classic Administrator event.

Testing guide

Run this command from both current CLI and changed CLI, the result number should be the same (849 in /subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590).

az role assignment list-changelogs --start-time 2020-12-19T00:00:00Z --end-time 2021-01-19T09:00:00Z --query '"length(@)"'

Additional information

The only public API for classicAdministrators is Classic Administrators - List.

The Classic Administrators - PUT API which Azure Portal calls is not publicly documented.

PUT https://management.azure.com/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/providers/
    Microsoft.Authorization/classicadministrators/<netId>?api-version=2015-06-01

netId (e.g. 1003200042CF7CB1) is an internal property of a user which is not exposed by AD Graph API v1.6 Operations on users.

Azure Portal queries it with an internal API:

POST https://graph.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/$batch

--batch_521e3e95-7c5f-404f-b5fa-4b97bb020737
Content-Type: application/http
Content-Transfer-Encoding: binary

GET /54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/users?$top=101 HTTP/1.1
Host: graph.windows.net
Accept: application/json

--batch_521e3e95-7c5f-404f-b5fa-4b97bb020737--

[jiasli]

To view an example of Classic Administrator event:

DELETE:

az role assignment list-changelogs --start-time 2021-01-19T09:45:00Z --end-time 2021-01-19T09:55:00Z

PUT:

az role assignment list-changelogs --start-time 2021-01-19T09:55:00Z --end-time 2021-01-19T10:05:00Z

[yonzhan]

Role