[RBAC] az ad sp create-for-rbac: refine error message when user specify an invalid scope #13117
Conversation
…fy an invalid scope
|
az ad |
| @@ -495,6 +495,9 @@ def _build_role_scope(resource_group_name, scope, subscription_id): | |||
| if resource_group_name: | |||
| err = 'Resource group "{}" is redundant because scope is supplied' | |||
| raise CLIError(err.format(resource_group_name)) | |||
| from msrestazure.tools import is_valid_resource_id | |||
| if scope.startswith('/subscriptions/') and not is_valid_resource_id(scope): | |||
There was a problem hiding this comment.
Good question. If the user specify scope as /, CLI will try to create a role assignment under the global resource provider /providers/Microsoft.Authorization/roleAssignments/{uuid} instead of /subscriptions/{uuid}/providers/Microsoft.Authorization/roleAssignments/{uuid}. Normally server will return error which tells "does not have authorization to perform ... or scope is invalid".
I'm wondering whether there are already some users who take this benefit to create role assignments under global resource provider. So I think it's better to keep this and rely on the service side to do the validation.
Co-authored-by: Jiashuo Li <[email protected]>
| @@ -495,6 +495,9 @@ def _build_role_scope(resource_group_name, scope, subscription_id): | |||
| if resource_group_name: | |||
| err = 'Resource group "{}" is redundant because scope is supplied' | |||
| raise CLIError(err.format(resource_group_name)) | |||
| from azure.mgmt.core.tools import is_valid_resource_id | |||
| if scope.startswith('/subscriptions/') and not is_valid_resource_id(scope): | |||
There was a problem hiding this comment.
if scope.startswith('/subscriptions/') [](start = 8, length = 38)
why do you check scope.startswith('/subscriptions/') first, can the scope has other value?
There was a problem hiding this comment.
yes, in some cases, user only provide /provides/... as scope value.
Description
This PR is to fix #7441
Previously if user specify scope with an invalid resource id, CLI will prompt a strange error message just as described in the issue.
We add a check whether it is a valid resource id here.
The reason why I didn't combine it with
scope == ''is that I don't want to change previous check sequence.Testing Guide
az ad sp create-for-rbac --name myTestSP --role contributor --scopes /subscriptions/<subscription>/<resource_group>Prompt below error:
Invalid scope. Please use --help to view the valid format.
History Notes
[Component Name 1] BREAKING CHANGE: az command a: Make some customer-facing breaking change.
[Component Name 2] az command b: Add some customer-facing feature.
This checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.