[AMS CLI] Added Azure Media Service CLI Module #6044
Conversation
|
View a preview at https://prompt.ws/r/Azure/azure-cli/6044 |
|
@tjprescott the pull request is ready for review |
|
Why is the SDK in azure/mediav3? |
|
@derekbekoe we included the media SDK because it's not available in https://github.com/Azure/azure-sdk-for-python yet since is still in preview. We autogenerated it from https://github.com/Azure/azure-rest-api-specs/tree/MediaServices-2018-03-30-preview/specification/mediaservices/resource-manager/Microsoft.Media/preview/2018-03-30-preview. |
There was a problem hiding this comment.
There are some coding issues I identified. Reach out to me if any don't make sense. Overall, looks good and the test coverage looks great. Would like @sptramer to review the help and @yugangw-msft to look over the SP create stuff.
| Release History | ||
| =============== | ||
|
|
||
| 0.0.1 |
There was a problem hiding this comment.
I believe this should be 0.1.0. @derekbekoe is that right? I realize we have done this differently in the past.
| class MediaServicesCommandsLoader(AzCommandsLoader): | ||
|
|
||
| def __init__(self, cli_ctx=None): | ||
| super(MediaServicesCommandsLoader, self).__init__(cli_ctx=cli_ctx) |
There was a problem hiding this comment.
You need to add the following kwarg:
super(MediaServicesCommandsLoader, self).__init__(cli_ctx=cli_ctx, min_profile='2017-03-10-profile')Otherwise the module will appear on the Azure stack profile and cause errors.
| client = GraphRbacManagementClient(cred, tenant_id, | ||
| base_url=cli_ctx.cloud.endpoints.active_directory_graph_resource_id) | ||
| configure_common_settings(cli_ctx, client) | ||
| return client |
There was a problem hiding this comment.
These are duplicated from the azure-cli-role module. What do you need these for? If other modules need them, we can consider moving them into the core.
There was a problem hiding this comment.
This is used by the service principals commands. We need those methods (_auth_client_factory, _graph_client_factory) to retrieve the clients to manage the service principals for media accounts (create applications, grant access permissions, create secrets, etc).
Moving those methods to the core might be a good option. Is this something that you would like us to do? In that case, which will be the best place to put them? azure.cli.core.commands.client_factory seems a good place.
There was a problem hiding this comment.
It would be nice to have them in the core for others to use. We really need to simplify the process of getting customer's their AAD application, Service Principals, and Keys for services that are moving their customers to AAD and off of ACS.
We are really complicating things when moving our customers off of simple Keys and trying to explain why they need an AAD AP, then a Service Principal, and then get a Key from that... very confusing stuff for our general customers who may not be core Azure devs.
There was a problem hiding this comment.
This is also related to #6044 (comment)
| helps['ams streaming policy show'] = """ | ||
| type: command | ||
| short-summary: Show the details of a streaming policy. | ||
| """ |
| parameters: | ||
| - name: --account-name | ||
| short-summary: The name of the Azure Media Services account within the resource group. | ||
| - name: --name |
There was a problem hiding this comment.
I don't think this will be applied if it is not listed as:
- name: --name -n
short-summary: blah blah
Is there a reason you have the parameter help in the help.py file for this one command?
There was a problem hiding this comment.
You're right, we will list the help as you specified. We specified the parameters just because the --years argument doesn't show a fallback help text, so we'll remove the rest ones.
| help='Enable Dash protocol.') | ||
| c.argument('hls', | ||
| arg_group='Encryption Protocols', | ||
| help='Enable Hls protocol.') |
| if not acc: | ||
| raise ValueError("Storage account named '{}' not found in the resource group '{}'.". | ||
| format(namespace.storage_account, namespace.resource_group_name)) | ||
| namespace.storage_account = acc.id # pylint: disable=no-member |
There was a problem hiding this comment.
See this logic for the recommended way of implementing "name or ID" behavior:
https://github.com/Azure/azure-cli/blob/dev/doc/authoring_command_modules/authoring_commands.md#supporting-name-or-id-parameters
If it is NOT a valid ID (which there is a standard call for) then build the ID (in this case, assuming regular storageAccount not classic storage). Always assume it exists and let ARM fail if it doesn't. Don't do a GET just to make sure the account exists. If it does exists, the check wasn't necessary and you made extra REST calls for no reason. If it doesn't exist, it will fail either way.
| operations_tmpl='azure.cli.command_modules.ams.operations.{}#'.format(custom_module) + '{}', | ||
| client_factory=client_factory, | ||
| exception_handler=build_exception_wrapper() | ||
| ) |
There was a problem hiding this comment.
The command registration seems much more verbose than I usually see, and I think the culprit may be this pattern. Did you emulate this pattern from an existing module?
There was a problem hiding this comment.
Yes, we emulate this pattern from the storage module:
Should we consider changing this implementation?
There was a problem hiding this comment.
You really should not follow storage. Nearly any other module would be much simpler. Please look at network and see if that pattern is simpler. It should be.
| @ResourceGroupPreparer() | ||
| @StorageAccountPreparer(parameter_name='storage_account_for_create') | ||
| def test_ams_create_show(self, resource_group, storage_account_for_create): | ||
| amsname = self.create_random_name(prefix='ams', length=12) |
There was a problem hiding this comment.
Unless the AMS account name needs to be globally unique (like KeyVaults or StorageAccounts) you can get away with a static name here.
There was a problem hiding this comment.
Given that unit tests run in parallel, using the same static account name for all tests leads to name collision. Media account names should be unique by location and all test accounts are created under the same location. We could use different static account names for each test, but we believe that generating names randomly minimizes the chance of potential collisions.
There was a problem hiding this comment.
Fair enough. Most resources only need to be unique within the RG.
| # -------------------------------------------------------------------------------------------- | ||
|
|
||
|
|
||
| def build_exception_wrapper(message=None): |
There was a problem hiding this comment.
When I look at where this is used in commands.py, it doesn't look like there's any need for this to be a factory. You can simply remove this and pass "build_exception" directly
exception_handler=build_exception
I would also rename build_exception to something more descriptive like ams_exception_handler.
There was a problem hiding this comment.
Good catch, we'll clean and rename this exception handler.
|
@yugangw-msft would you please take a quick look at their |
Guess it mostly copied and pasted the code from the azure-cli-role module. Any reason we can't point users to use the generic SP commands instead of mostly duplicating the same command here? The concerns is the SDK library of |
lucasmarambio
force-pushed
the
add/ams-module
branch
from
6e0ce04 to
0054220
Compare
lucasmarambio
force-pushed
the
add/ams-module
branch
from
0054220 to
d8d46bc
Compare
|
Thanks for the feedback @yugangw-msft. Adding @johndeu to help deciding the best approach. Perhaps the alternatives are:
|
|
Can you demonstrate the number of CLI commands required to do the equivalent amount of work with both workflows? I believe we were wrapping several steps into one in our command and returning the content in a format that was easier for our customers to consume. I'm trying to keep the AAD portion of our CLI as simple as possible, since we are targeting a slightly different audience than typical core Azure with some of our customer base. We will get a lot of customers that are Media focused, and just want to get a darn Key to connect to the API as easy as we can make it without learning about what AAD applications and a Service Principal really are. |
|
We just had an offline conversation with @johndeu to review the options regarding the SP command in the AMS module and agreed that it would be important to keep the current implementation as-is for the first release. For media focused customers this SP command is not just an easy way to create service principals and assign roles, but also to consolidate all the necessary information to connect to an AMS account (which is provided in the form of JSON/XML format in the command output). @yugangw-msft @tjprescott could we add an exception and proceed with the current approach for the first release of the module? |
lucasmarambio
force-pushed
the
add/ams-module
branch
from
1ef77bd to
ad4d8a7
Compare
I understand your situation. Could you please share with me the commands to accomplish the end to end flow? If you can do all to avoid people ever getting to the generic RBAC commands, then it is your call. But by looking at the command signatures you provided, I don't see it is complete at a basic level. Say, I don't see SP list/show/delete command, so wonder a bit for how you can help people find the SP they are interested? Also for generic RBAC commands, we will keep on improving it, particularly for "my sp" support, so you don't need to wait for 20 minutes to list 1000000+ ones your org has, and also we will make it work with MS-Graph someday. With your cloned effort, your service will be left out. If you still decide to proceed, please write an end to end test so to avoid the breaking when CLI upgrades the SDK dependencies |
@damatojuan, please create a wheel and check-in the binary to the |
|
@yugangw-msft find some answers below:
With this command users create a media account:
With this command users create a service principal with {role} access to the media account:
The output of this command provides all the information required to connect to the media account using Azure AD authentication:
We only intended to provide a way to easily create and associate a SP with a media account, that's why only the
We are currently providing tests for each command which should fail if there is any breaking change in the SDK dependencies. |
@yugangw-msft the current version of the AMS SDK is still in preview, and some tweaks were required in the generated SDK files that need to be tracked here for the moment. Once AMS is released as part of the Azure Python SDK, we'll remove the generated SDK files from the repo. |
|
@lucasmarambio I understand it is under preview. My point was, since we are not reviewing generated code, I suggest you check in the wheel (if you have Python SDK PR submitted, it should expose the link to the wheel you can download or you can build out on your own). This has the benefit that you can get CI green on you PR, also your setup file can stay unchanged; and all you need to do in future is to remove the |
Looping @tjprescott as we agreed with him to place the generated SDK files in this PR. @tjprescott could you help us with this? I am not quite familiar with Python wheels so maybe I'm missing something here. The main concern I see is that we made changes to the generated SDK files for the AMS CLI to work properly while in preview, so we need to track those changes here for everything to be on sync. |
lucasmarambio
force-pushed
the
add/ams-module
branch
from
e1dd406 to
fc78003
Compare
|
To generate a wheel, you just run one command under the SDK folder with the setup.py: |
lucasmarambio
force-pushed
the
add/ams-module
branch
from
f7ad180 to
418e1ea
Compare
- Add MediaServicesCommandLoader - Remove unnecesary parameters help commands - Don't use tuple syntax - Register account_name in ams scope - Remove 'within the resource group' - Set account_name help text generic - Apply account_name_arg_type - Typo: built-in - Remove Customer-supplied - Remove exception factory
- Rename `storage_account_id` to `validate_storage_account_id` - Assume storage account id exists to build the storage_account_id. - Set flag for `ams job cancel` - Set flags for protocols in `ams streaming policy` - Support multiple permissions for `ams asset get-sas-urls`
…y_name` - Add more datetime validation
lucasmarambio
force-pushed
the
add/ams-module
branch
from
89af7d0 to
c777453
Compare
First version of Azure Media Services CLI Module. This version supports the following commands:
Account commands
az ams account createaz ams account updateaz ams account showaz ams account listaz ams account deleteaz ams account storage addaz ams account storage removeaz ams account sp createaz ams account sp reset-credentialsTransform commands
az ams transform createaz ams transform showaz ams transform listaz ams transform deleteaz ams transform updateaz ams transform output addaz ams transform output removeAsset commands
az ams asset createaz ams asset updateaz ams asset showaz ams asset listaz ams asset deleteaz ams asset get-sas-urlsJob commands
az ams job startaz ams job showaz ams job listaz ams job cancelaz ams job deleteStreaming commands
az ams streaming locator createaz ams streaming locator showaz ams streaming locator listaz ams streaming locator get-pathsaz ams streaming locator deleteaz ams streaming policy createaz ams streaming policy showaz ams streaming policy listaz ams streaming policy delete