[KeyVault] Add new parameter --enable-rbac-authorization during creating or updating
#12074
Conversation
bim-msft
requested review from
fengzhou-msft,
haroldrandom,
jiasli,
Juliehzl and
qianwens
as code owners
| AZURE_DF_CLOUD = Cloud( | ||
| 'AzureDFCloud', | ||
| endpoints=CloudEndpoints( | ||
| management='https://management-preview.core.windows-int.net/', | ||
| resource_manager='https://api-dogfood.resources.windows-int.net/', | ||
| gallery='https://df.gallery.azure-test.net/', | ||
| active_directory='https://login.windows-ppe.net', | ||
| active_directory_graph_resource_id='https://graph.ppe.windows.net/', | ||
| active_directory_resource_id='https://management.core.windows.net/', | ||
| microsoft_graph_resource_id='https://graph.ppe.windows.net/'), | ||
| suffixes=CloudSuffixes( | ||
| keyvault_dns='.vault-int.azure-int.net')) |
There was a problem hiding this comment.
I prefer not to hard-code our testing environment in the public CLI code. We can register a new cloud instead.
There was a problem hiding this comment.
I prefer not to hard-code our testing environment in the public CLI code. We can register a new cloud instead.
Good idea, I'll deprecate this part.
| @@ -453,6 +460,10 @@ def set_policy(cmd, client, resource_group_name, vault_name, | |||
| object_id = _object_id_args_helper(cmd.cli_ctx, object_id, spn, upn) | |||
| vault = client.get(resource_group_name=resource_group_name, | |||
| vault_name=vault_name) | |||
|
|
|||
| if vault.properties.enable_rbac_authorization: | |||
| raise CLIError('Cannot set policies to a vault with `--enable-rbac-authorization` specified') | |||
There was a problem hiding this comment.
The keyvault may be created via Azure Portal, so customer may not used --enable-rbac-authorization to enable RBAC authorization. So how about using
Cannot set policies for a vault with RBAC authorization enabled
There was a problem hiding this comment.
The keyvault may be created via Azure Portal, so customer may not used
--enable-rbac-authorizationto enable RBAC authorization. So how about usingCannot set policies for a vault with RBAC authorization enabled
Agree, this is more reasonable, will refine it.
| @@ -453,6 +460,10 @@ def set_policy(cmd, client, resource_group_name, vault_name, | |||
| object_id = _object_id_args_helper(cmd.cli_ctx, object_id, spn, upn) | |||
| vault = client.get(resource_group_name=resource_group_name, | |||
| vault_name=vault_name) | |||
|
|
|||
| if vault.properties.enable_rbac_authorization: | |||
| raise CLIError('Cannot set policies to a vault with `--enable-rbac-authorization` specified') | |||
There was a problem hiding this comment.
In error message we usually use single quote '. Grave accent ` is only for markdown.
There was a problem hiding this comment.
In error message we usually use single quote
'. Grave accent`is only for markdown.
Good point, will refine this.
|
add to S169 |
| @@ -113,7 +113,7 @@ | |||
| helps['keyvault create'] = """ | |||
| type: command | |||
| short-summary: Create a key vault. | |||
| long-summary: Default permissions are created for the current user or service principal unless the `--no-self-perms` flag is specified. | |||
| long-summary: If `--enable-rbac-authorization` is not specified, then default permissions are created for the current user or service principal unless the `--no-self-perms` flag is specified. | |||
There was a problem hiding this comment.
Long summary is not shown in CLI reference. May you can move it to short summary.
There was a problem hiding this comment.
Long summary is not shown in CLI reference. May you can move it to short summary.
@qwordy Good point, but I think it's ok to keep it as long summary, for the docs display issue, we'd better push docs team to display our long summaries as well. Now at least we can see the long summary using -h.
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
| @@ -113,7 +113,7 @@ | |||
| helps['keyvault create'] = """ | |||
| type: command | |||
| short-summary: Create a key vault. | |||
| long-summary: Default permissions are created for the current user or service principal unless the `--no-self-perms` flag is specified. | |||
| long-summary: If `--enable-rbac-authorization` is not specified, then default permissions are created for the current user or service principal unless the `--no-self-perms` flag is specified. | |||
There was a problem hiding this comment.
This statement is cumbersome.
| long-summary: If `--enable-rbac-authorization` is not specified, then default permissions are created for the current user or service principal unless the `--no-self-perms` flag is specified. | |
| long-summary: Default permissions are created for the current user or service principal unless the `--no-self-perms` or `--enable-rbac-authorization` flag is specified. |
Support for #11268
How to test:
az keyvault create -n {} -g {} --enable-rbac-authorizationproperties.enableRbacAuthorizationThis checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.