Skip to content

Revert default role assignment for New-AzureRmADServicePrincipal #6272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 29, 2018
Merged

Revert default role assignment for New-AzureRmADServicePrincipal #6272

merged 5 commits into from
May 29, 2018

Conversation

@cormacpayne
Copy link
Member

@cormacpayne cormacpayne commented May 22, 2018
edited
Loading

Description

  • Revert the change to New-AzureRmADServicePrincipal that gave "Contributor" permissions to the current subscription by default if Role and Scope parameters weren't provided. The behavior now goes back to before the 6.0.0 release where no permissions are assigned to the service principal if Role and Scope aren't provided, but use the values provided (or default values) if one (or both) of the parameters are provided.
  • Update the examples for New-AzureRmADServicePrincipal to reflect these changes, as well as update the descriptions for the cmdlet and the affected parameters

Checklist

@cormacpayne cormacpayne changed the title Update documentation and messages displayed for New-AzureRmADServicePrincipal Revert default role assignment for New-AzureRmADServicePrincipal May 23, 2018
@cormacpayne
Copy link
Member Author

cormacpayne commented May 23, 2018

On-demand: https://azuresdkci.westus2.cloudapp.azure.com/job/powershell-demand/869/
Sign job: https://azuresdkci.westus2.cloudapp.azure.com/job/ps-sign/644/

darshanhs90
darshanhs90 reviewed May 23, 2018
View reviewed changes
src/ResourceManager/Resources/ChangeLog.md Outdated
* Revert change to `New-AzureRmADServicePrincipal` that gave service principals "Contributor" permissions over the current subscription if no values were provided for the `Role` or `Scope` parameters
- If no values are provided for `Role` or `Scope`, the service principal is created with no permissions
- If a `Role` is provided, but no `Scope`, the service principal is created with the specified `Role` permissions over the current subscription
- If a `Scope` is provided, but no `Contributor`, the service principal is created with `Contributor` permissions over the specified `Scope`
Copy link
Contributor

@darshanhs90 darshanhs90 May 23, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Contributor [](start = 40, length = 11)

role

@darshanhs90
Copy link
Contributor

darshanhs90 commented May 23, 2018 

            Role = "Contributor";

why are we defaulting to contributor role,when a role isnt provided?

Refers to: src/ResourceManager/Resources/Commands.Resources/ActiveDirectory/NewAzureADServicePrincipalCommand.cs:281 in 0acb1cf. [](commit_id = 0acb1cf, deletion_comment = False)

markcowl
markcowl reviewed May 23, 2018
View reviewed changes
Copy link
Member

@markcowl markcowl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How easy would it be to add a test covering each of the two parameter sets? If possible we should add before checking in. Otherwise, we should verify each scenario manually and file an issue to record the new tests this sprint.

@markcowl
Copy link
Member

markcowl commented May 23, 2018

@darshanhs90 Because that is our best guess at what the user would want in this case - since no previous versions of the cmdlet have role or scope as a parameter, there is no chance of an existing script hitting unexpected behavior in this case, as they have to provide at least 'Scope'

twitchax
twitchax previously approved these changes May 23, 2018
View reviewed changes
Copy link
Contributor

@twitchax twitchax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Great work, @cormacpayne.

@twitchax
Copy link
Contributor

twitchax commented May 23, 2018

@darshanhs90, the new behavior is meant to match the Azure CLI behavior, so the default Role is Contributor, as it is in CLI.

@markcowl markcowl assigned cormacpayne and unassigned markcowl May 23, 2018
@cormacpayne
Copy link
Member Author

cormacpayne commented May 23, 2018

Sign job: https://azuresdkci.westus2.cloudapp.azure.com/job/ps-sign/659/

@cormacpayne cormacpayne assigned markcowl and unassigned cormacpayne May 23, 2018
@cormacpayne
Copy link
Member Author

cormacpayne commented May 23, 2018

@darshanhs90 @markcowl comments addressed and tests added

@cormacpayne
Copy link
Member Author

cormacpayne commented May 24, 2018
edited
Loading

On-demand: https://azuresdkci.westus2.cloudapp.azure.com/job/powershell-demand/877/
Sign job: https://azuresdkci.westus2.cloudapp.azure.com/job/ps-sign/663/

darshanhs90
darshanhs90 reviewed May 24, 2018
View reviewed changes
ChangeLog.md Outdated
* Revert change to `New-AzureRmADServicePrincipal` that gave service principals `Contributor` permissions over the current subscription if no values were provided for the `Role` or `Scope` parameters
- If no values are provided for `Role` or `Scope`, the service principal is created with no permissions
- If a `Role` is provided, but no `Scope`, the service principal is created with the specified `Role` permissions over the current subscription
- If a `Scope` is provided, but no `Scope`, the service principal is created with `Contributor` permissions over the specified `Scope`
Copy link
Contributor

@darshanhs90 darshanhs90 May 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Role?

Copy link
Member Author

@cormacpayne cormacpayne May 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@darshanhs90 oops, thanks. Fixed this in all occurrences.

darshanhs90
darshanhs90 reviewed May 24, 2018
View reviewed changes
src/ResourceManager/Resources/ChangeLog.md Outdated
* Revert change to `New-AzureRmADServicePrincipal` that gave service principals `Contributor` permissions over the current subscription if no values were provided for the `Role` or `Scope` parameters
- If no values are provided for `Role` or `Scope`, the service principal is created with no permissions
- If a `Role` is provided, but no `Scope`, the service principal is created with the specified `Role` permissions over the current subscription
- If a `Scope` is provided, but no `Scope`, the service principal is created with `Contributor` permissions over the specified `Scope`
Copy link
Contributor

@darshanhs90 darshanhs90 May 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Role

darshanhs90
darshanhs90 reviewed May 24, 2018
View reviewed changes
tools/AzureRM/AzureRM.psd1 Outdated
* Revert change to `New-AzureRmADServicePrincipal` that gave service principals `Contributor` permissions over the current subscription if no values were provided for the `Role` or `Scope` parameters
- If no values are provided for `Role` or `Scope`, the service principal is created with no permissions
- If a `Role` is provided, but no `Scope`, the service principal is created with the specified `Role` permissions over the current subscription
- If a `Scope` is provided, but no `Scope`, the service principal is created with `Contributor` permissions over the specified `Scope`
Copy link
Contributor

@darshanhs90 darshanhs90 May 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Role

darshanhs90
darshanhs90 reviewed May 24, 2018
View reviewed changes
src/ResourceManager/Resources/Commands.Resources.Test/ScenarioTests/ActiveDirectoryTests.ps1
#>
function Test-NewADServicePrincipalWithReaderRole
{
# Setup
Copy link
Contributor

@darshanhs90 darshanhs90 May 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we add another test where in we dont specify any role or scope and make sure that no roleassignment change happens before and after running the command

Copy link
Member Author

@cormacpayne cormacpayne May 24, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@darshanhs90 added a check in Test-NewADServicePrincipalWithoutApp that no role assignment was created for the new service principal

@cormacpayne
Copy link
Member Author

cormacpayne commented May 24, 2018

Sign job: https://azuresdkci.westus2.cloudapp.azure.com/job/ps-sign/668/

@cormacpayne cormacpayne changed the base branch from preview to release-6.1.1 May 25, 2018 22:41
@cormacpayne cormacpayne changed the base branch from release-6.1.1 to preview May 25, 2018 22:42
@cormacpayne cormacpayne changed the base branch from preview to release-6.1.1 May 25, 2018 22:43
@cormacpayne cormacpayne merged commit 33da488 into Azure:release-6.1.1 May 29, 2018
@cormacpayne cormacpayne deleted the update-new-sp branch January 16, 2019 21:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@markcowl markcowl markcowl approved these changes

+2 more reviewers

@darshanhs90 darshanhs90 darshanhs90 left review comments

@twitchax twitchax twitchax approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@cormacpayne @darshanhs90 @markcowl @twitchax @azuresdkci @maddieclayton