Related to #17669
--assignee-principal-type is not honored if AD Graph query for --assignee-object-id succeeds.
Notice --assignee-principal-type User is provided in the command but "principalType": "Group" is used to create the role assignment:
> az role assignment create --role reader --assignee-object-id 93b331d4-7f18-467e-baab-9aa6475c52eb --assignee-principal-type User --debug
msrest.http_logger: Request URL: 'https://graph.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/getObjectsByObjectIds?api-version=1.6'
msrest.http_logger: Request method: 'POST'
msrest.http_logger: Request body:
msrest.http_logger: {"objectIds": ["93b331d4-7f18-467e-baab-9aa6475c52eb"], "includeDirectoryObjectReferences": true}
msrest.http_logger: Response content:
msrest.http_logger: ... "objectType":"Group","objectId":"93b331d4-7f18-467e-baab-9aa6475c52eb"
msrest.http_logger: Request URL: 'https://management.azure.com/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/providers/Microsoft.Authorization/roleAssignments/9201cf34-be43-4d83-9df9-8280e7020cb9?api-version=2020-04-01-preview'
msrest.http_logger: Request method: 'PUT'
msrest.http_logger: Request body:
msrest.http_logger: ... "principalType": "Group"
msrest.http_logger: Response content:
msrest.http_logger: ... "principalType":"Group"
{
"canDelegate": null,
"condition": null,
"conditionVersion": null,
"description": null,
"id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/providers/Microsoft.Authorization/roleAssignments/7e3a1559-1b98-4c27-a69f-b213265aa060",
"name": "7e3a1559-1b98-4c27-a69f-b213265aa060",
"principalId": "93b331d4-7f18-467e-baab-9aa6475c52eb",
"principalType": "Group",
"roleDefinitionId": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
"scope": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590",
"type": "Microsoft.Authorization/roleAssignments"
}
This is because objectType returned by AD Graph takes higher precedence:
|
# try to resolve assignee object id |
|
try: |
|
result = _get_object_stubs(client, [assignee_object_id]) |
|
if result: |
|
return result[0].object_id, result[0].object_type |
|
except CloudError: |
|
pass |
|
|
|
# If failed to verify assignee object id, DO NOT raise exception |
|
# since --assignee-object-id is exposed to bypass Graph API |
|
if not assignee_principal_type: |
|
logger.warning('Failed to query --assignee-principal-type for %s by invoking Graph API.\n' |
|
'RBAC server might reject creating role assignment without --assignee-principal-type ' |
|
'in the future. Better to specify --assignee-principal-type manually.', assignee_object_id) |
|
return assignee_object_id, assignee_principal_type |
This has 1 benefit:
- If the user provides incorrect
--assignee-principal-type, CLI can automatically rectify it
Meanwhile, this causes 2 problems:
- If
--assignee-principal-type is already provided, it should be honored, and there is no need to query AD Graph
- if AD Graph returns incorrect
objectType (returning Group in lieu of ForeignGroup), it is not possible to override it with --assignee-principal-type
Related to #17669
--assignee-principal-typeis not honored if AD Graph query for--assignee-object-idsucceeds.Notice
--assignee-principal-type Useris provided in the command but"principalType": "Group"is used to create the role assignment:This is because
objectTypereturned by AD Graph takes higher precedence:azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py
Lines 1791 to 1805 in df737ed
This has 1 benefit:
--assignee-principal-type, CLI can automatically rectify itMeanwhile, this causes 2 problems:
--assignee-principal-typeis already provided, it should be honored, and there is no need to query AD GraphobjectType(returningGroupin lieu ofForeignGroup), it is not possible to override it with--assignee-principal-type