[Key Vault] Add support for custom role definitions #16063
Conversation
mccoyp
added
KeyVault
Client
...yvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py
Outdated
Show resolved
Hide resolved
...yvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py
Outdated
Show resolved
Hide resolved
sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_models.py
Outdated
Show resolved
Hide resolved
mccoyp
force-pushed
the
feature/roledefinition
branch
from
927eb2a to
6863c81
Compare
mccoyp
force-pushed
the
feature/roledefinition
branch
from
6863c81 to
8b3acbd
Compare
sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_models.py
Outdated
Show resolved
Hide resolved
...lt/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py
Outdated
Show resolved
Hide resolved
sdk/keyvault/azure-keyvault-administration/tests/test_access_control.py
Outdated
Show resolved
Hide resolved
sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_models.py
Outdated
Show resolved
Hide resolved
mccoyp
force-pushed
the
feature/roledefinition
branch
from
6605d77 to
386da11
Compare
mccoyp
force-pushed
the
feature/roledefinition
branch
from
386da11 to
00481f3
Compare
| keys_value = "/keys" #: use this if you want role assignments to apply to all keys | ||
|
|
||
|
|
||
| class DataActionPermission(str, Enum): |
There was a problem hiding this comment.
I expect we'll want a "KeyVault" prefix because the values apply only to Key Vault, and other services will have their own actions. Also, are these values better characterized as operations or actions than permissions?
There was a problem hiding this comment.
/cc @christothes that's a good idea for all languages as well.
There was a problem hiding this comment.
Hm... since these would be used to populate a KeyVaultPermission object and they do describe actions, I agree that something like KeyVaultDataAction might make more sense.
sdk/keyvault/azure-keyvault-administration/tests/test_access_control.py
Outdated
Show resolved
Hide resolved
sdk/keyvault/azure-keyvault-administration/tests/test_access_control_async.py
Show resolved
Hide resolved
| class KeyVaultRoleScope(str, Enum): | ||
| """Collection of well known role scopes. This list is not exhaustive""" | ||
|
|
||
| global_value = "/" #: use this if you want role assignments to apply to everything on the resource |
There was a problem hiding this comment.
Is the "_value" suffix common in Python? In .NET we just use "Global" and "Keys". If so, cool.
There was a problem hiding this comment.
"global" is a keyword. I forget how we ended up with _value here; looking at it again I like "global_scope" and "keys". Another option I kind of like is CAPS which I think other libraries have used (sadly other Key Vault libraries use lowercase). What do you think @mccoyp?
There was a problem hiding this comment.
If we decide to go with a _scope suffix, I'd suggest we do it for both.
There was a problem hiding this comment.
Thinking about how a user would use the enum and because "Scope" is already in the class name, I think "global" and "keys" would make sense, without a suffix. I also wondered about whether these should be in caps -- I kept them in snake case for consistency with other libraries, but I was under the impression that enum values should be in caps
There was a problem hiding this comment.
I'm happy with caps; consistency is less important to me than making the better choice here.
| keys_value = "/keys" #: use this if you want role assignments to apply to all keys | ||
|
|
||
|
|
||
| class DataActionPermission(str, Enum): |
There was a problem hiding this comment.
/cc @christothes that's a good idea for all languages as well.
| """Supported permissions for data actions. | ||
| """ | ||
|
|
||
| #: Read HSM key metadata. |
There was a problem hiding this comment.
Make sure these names align with what @christothes defined in the swagger PR (not merged just yet but should be soon).
| KEYS = "/keys" #: use this if you want role assignments to apply to all keys | ||
|
|
||
|
|
||
| class KeyVaultDataAction(str, Enum): |
There was a problem hiding this comment.
How do we feel with this enum name?
| :param role_scope: scope of the role definition. :class:`KeyVaultRoleScope` defines common broad scopes. | ||
| Specify a narrower scope as a string. Managed HSM only supports '/', or KeyVaultRoleScope.global_value. | ||
| :type role_scope: str or KeyVaultRoleScope | ||
| :param role_definition_name: the role definition's name. Must be a UUID. |
There was a problem hiding this comment.
| :param role_definition_name: the role definition's name. Must be a UUID. | |
| :param role_definition_name: the role definition's name. |
Thinking the form of the name isn't interesting because this role definition already exists and so must have a compliant name.
Resolves #14938.
This adds
set_role_definition,get_role_definition, anddelete_role_definitionmethods to Administration'sKeyVaultAccessControlClient.set_role_definitionmakespermissionsa required parameter in an attempt to make it more clear that a definition without defined permissions is undesirable.