{Service Fabric} Migrate servicefabric command module to Microsoft Graph
#28105
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
️✔️AzureCLI-FullTest
|
️✔️AzureCLI-BreakingChangeTest
|
Collaborator
|
AD |
microsoft-github-policy-service
bot
added
Service Fabric
jiasli
commented
Dec 28, 2023
Comment on lines
242
to
243
| Default permissions are created for the current user or service principal unless the `--no-self-perms` | ||
| or `--enable-rbac-authorization` flag is specified. |
Member
Author
There was a problem hiding this comment.
This changes the original cumbersome expression (#12074 (comment)).
jiasli
commented
Dec 28, 2023
| if not subscription: | ||
| return None | ||
|
|
||
| if subscription['user']: |
Member
Author
There was a problem hiding this comment.
It is not possible for a subscription to have no user field, as _USER_ENTITY(user) will always be set during creation:
azure-cli/src/azure-cli-core/azure/cli/core/_profile.py
Lines 408 to 415 in b00483c
jiasli
commented
Dec 28, 2023
Comment on lines
-342
to
-350
| if subscription['user']: | ||
| if subscription['user']['type'] == 'user': | ||
| return _get_object_id_by_upn(graph_client, subscription['user']['name']) | ||
| if subscription['user']['type'] == 'servicePrincipal': | ||
| return _get_object_id_by_spn(graph_client, subscription['user']['name']) | ||
| logger.warning("Unknown user type '%s'", subscription['user']['type']) | ||
| else: | ||
| logger.warning('Current credentials are not from a user or service principal. ' | ||
| 'Azure Key Vault does not work with certificate credentials.') |
Member
Author
There was a problem hiding this comment.
I guess certificate credential is a remnant of the very old implementation for RDFE.
jiasli
commented
Dec 28, 2023
| return _get_object_id_by_upn(graph_client, subscription['user']['name']) | ||
| if subscription['user']['type'] == 'servicePrincipal': | ||
| return _get_object_id_by_spn(graph_client, subscription['user']['name']) | ||
| logger.warning("Unknown user type '%s'", subscription['user']['type']) |
Member
Author
There was a problem hiding this comment.
user and servicePrincipal are the only possible values for user.type:
Unless the user deliberately corrupt azureProfile.json, this warning can never be hit.
jiasli
commented
Dec 29, 2023
Comment on lines
-319
to
-322
| if len(accounts) > 1: | ||
| logger.warning("Multiple service principals found with spn '%s'. " | ||
| "You can avoid this by specifying object id.", spn) | ||
| return None |
Member
Author
There was a problem hiding this comment.
It is not possible for multiple service principals to have the same spn, so this check will never be hit. azure.cli.command_modules.role.custom._resolve_object_id_and_type has such logic:
jiasli
commented
Dec 29, 2023
| accounts = list(graph_client.service_principal_list( | ||
| filter="servicePrincipalNames/any(c:c eq '{}')".format(spn))) | ||
| if not accounts: | ||
| logger.warning("Unable to find user with spn '%s'", spn) |
Member
Author
There was a problem hiding this comment.
spn stands for Service Principal Name. A user object never has spn property.
zhoxing-ms
modified the milestones:
February 2024 (2024-03-05),
March 2024 (2024-04-02)
|
If az-cli isn't being updated to remove EOL libraries, I guess it means that it is effectively unsupported. |
jiasli
commented
Sep 3, 2024
| from msrestazure.azure_exceptions import CloudError | ||
| try: | ||
| current_user = graph_client.signed_in_user.get() | ||
| if current_user and current_user.object_id: # pylint:disable=no-member |
Member
Author
There was a problem hiding this comment.
A user object can never have no object_id.
jiasli
commented
Sep 3, 2024
Comment on lines
541
to
545
| except CloudError: | ||
| pass |
Member
Author
There was a problem hiding this comment.
I guess this line tries to silence the exception. However, L125 relies on the exception. The code is buggy.
jiasli
commented
Sep 3, 2024
| return None | ||
|
|
||
|
|
||
| def _get_object_id(graph_client, spn=None, upn=None): |
Member
Author
There was a problem hiding this comment.
There is no need for _get_object_id to support subscription argument. _get_object_id_from_subscription can be directly called by get_current_identity_object_id.
# Before
keyvault/servicefabric/lab -> _get_object_id -> [subscription] _get_object_id_from_subscription
-> [spn] _get_object_id_by_spn
-> [upn] _get_object_id_by_upn
# After
keyvault -> get_object_id -> _get_object_id -> [spn] _get_object_id_by_spn
-> [upn] _get_object_id_by_upn
keyvault/servicefabric/lab -> get_current_identity_object_id -> [subscription] _get_object_id_from_subscription
jiasli
commented
Sep 3, 2024
Member
Author
There was a problem hiding this comment.
There is no test named test_node_type.
jiasli
commented
Sep 3, 2024
Member
Author
There was a problem hiding this comment.
test_add_secondary_node_type_add_remove_node was changed to live only by #25735.
evelyn-ys
previously approved these changes
Sep 4, 2024
jiasli
requested review from
bebound,
calvinhzy,
jsntcy and
yanzhudd
as code owners
evelyn-ys
previously approved these changes
Sep 5, 2024
mwesigwaguma
approved these changes
Sep 10, 2024
Member
Author
|
#29878 caused merge conflict on |
jiasli
force-pushed
the
module-graph
branch
from
bce9266 to
beaa4df
Compare
jiasli
changed the title
lab and servicefabric command modules to Microsoft Graphservicefabric command module to Microsoft Graph
evelyn-ys
approved these changes
Sep 11, 2024
bebound
approved these changes
Sep 11, 2024
jiasli
changed the title
servicefabric command module to Microsoft Graphservicefabric command module to Microsoft Graph
zhoxing-ms
reviewed
Sep 11, 2024
Comment on lines
+244
to
+245
Contributor
There was a problem hiding this comment.
Just a little question: could we just leave a blank line in the middle? Is there any reason for leaving two blank lines?
Member
Author
There was a problem hiding this comment.
Since > is used, 2 blank lines will be rendered as 1 blank line:
> az keyvault create -h
Command
az keyvault create : Create a Vault or HSM.
RBAC authorization is enabled by default. If `--enable-rbac-authorization` is manually
specified to `false` and `--no-self-perms` flag is not specified, default permissions are
created for the current user or service principal.
If you want to assign the default permission, you have to change the default subscription
with `az account set` first, instead of using `--subscription`.
If we only put 1 blank line here, these paragraphs will not be separated:
> az keyvault create -h
Command
az keyvault create : Create a Vault or HSM.
RBAC authorization is enabled by default. If `--enable-rbac-authorization` is manually
specified to `false` and `--no-self-perms` flag is not specified, default permissions are
created for the current user or service principal.
If you want to assign the default permission, you have to change the default subscription
with `az account set` first, instead of using `--subscription`.
zhoxing-ms
approved these changes
Sep 11, 2024
jsntcy
approved these changes
Sep 12, 2024
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related command
az sfDescription
servicefabriccommand module directly useazure-graphrbacSDK to call AD Graph.This PR migrates
servicefabriccommand module to call Microsoft Graph to address #22174.