Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use roleName filter to limit the results returned by az role definition list --name #30579

Closed
kewalaka opened this issue Dec 26, 2024 · 6 comments · Fixed by #30587
Closed

Use roleName filter to limit the results returned by az role definition list --name #30579

kewalaka opened this issue Dec 26, 2024 · 6 comments · Fixed by #30587
Assignees
@jiasli
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that RBAC az role
Milestone
Backlog

Comments

@kewalaka
Copy link

Related command

Any role definition list operation that filters by name, e.g.:

az role definition list --name "Contributor"

Is your feature request related to a problem? Please describe.

The call to the resource manager API fetches all the IDs:

GET https://management.azure.com/subscriptions/<id>/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-05-01-preview 
HTTP/1.1

Whilst the works, it seems unnecessarily costly given a specific name has been supplied.

Describe the solution you'd like

Consider specifying the role name if supplied, using the target query parameter:

GET https://management.azure.com/subscriptions/<id>/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-05-01-preview&$filter=roleName%20eq%20'Contributor' 
HTTP/1.1

Describe alternatives you've considered
n/a

Additional context
https://learn.microsoft.com/en-us/rest/api/authorization/role-definitions/list?view=rest-authorization-2022-04-01&tabs=HTTP#uri-parameters
@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot labels Dec 26, 2024
@yonzhan
Copy link
Collaborator

yonzhan commented Dec 26, 2024

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Dec 26, 2024
@yonzhan yonzhan added this to the Backlog milestone Dec 26, 2024
@kewalaka
Copy link
Author

kewalaka commented Dec 26, 2024
edited
Loading

I guess downloading it once for all the role types might be more efficient if you take into account caching. Was just a curiosity i spotted when doing some testing.

@jiasli
Copy link
Member

jiasli commented Dec 27, 2024

@kewalaka, you have sharp eyes!

The role definition filtering is indeed performed on the client side:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Lines 140 to 150 in e8aa309

def _search_role_definitions(cli_ctx, definitions_client, name, scopes, custom_role_only=False):
for scope in scopes:
roles = list(definitions_client.list(scope))
worker = MultiAPIAdaptor(cli_ctx)
if name:
roles = [r for r in roles if r.name == name or worker.get_role_property(r, 'role_name') == name]
if custom_role_only:
roles = [r for r in roles if worker.get_role_property(r, 'role_type') == 'CustomRole']
if roles:
return roles
return []

This is because, according to L145, --name matches both name and roleName. For example, you may retrieve Reader role definition with either command:

az role definition list --name Reader
az role definition list --name acdd72a7-3385-48ef-bd42-f606fba81ae7

And the result is the same:

[
  {
    "assignableScopes": [
      "/"
    ],
    "createdBy": null,
    "createdOn": "2015-02-02T21:55:09.880642+00:00",
    "description": "View all resources, but does not allow you to make any changes.",
    "id": "/subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
    "name": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
    "permissions": [
      {
        "actions": [
          "*/read"
        ],
        "condition": null,
        "conditionVersion": null,
        "dataActions": [],
        "notActions": [],
        "notDataActions": []
      }
    ],
    "roleName": "Reader",
    "roleType": "BuiltInRole",
    "type": "Microsoft.Authorization/roleDefinitions",
    "updatedBy": null,
    "updatedOn": "2021-11-11T20:13:47.862868+00:00"
  }
]

But I think you made a very good point. We may consider adding --role-name for a more efficient search.

@jiasli
Copy link
Member

jiasli commented Dec 27, 2024

I guess downloading it once for all the role types might be more efficient if you take into account caching. Was just a curiosity i spotted when doing some testing.

Most Azure CLI commands by far have no caching mechanism, as it is impossible to know when the data returned by the ARM service expires.

Take https://learn.microsoft.com/en-us/rest/api/authorization/role-definitions/list?view=rest-authorization-2022-04-01&tabs=HTTP as an example, if a new role is created, CLI will not know that. Quering ARM service again will defeat the purpose of caching.

@kewalaka
Copy link
Author

kewalaka commented Dec 27, 2024
edited
Loading

Most Azure CLI commands by far have no caching mechanism, as it is impossible to know when the data returned by the ARM service expires.

Take https://learn.microsoft.com/en-us/rest/api/authorization/role-definitions/list?view=rest-authorization-2022-04-01&tabs=HTTP as an example, if a new role is created, CLI will not know that. Quering ARM service again will defeat the purpose of caching.

Good point! I was thinking in the context of built in roles but of course that is too limiting.

@jiasli jiasli mentioned this issue Dec 27, 2024
Merged
@jiasli
Copy link
Member

jiasli commented Dec 27, 2024
edited
Loading

I did a quick test in #30587 and the number of returned role definitions reduced from 727 to 1, making az role definition list much faster.

However, roleName eq '{role_name}' filter is not documented in any official documents:

Azure CLI has been using roleName as a filter since 2016 (#508):

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Line 620 in a43f7f9

role_defs = list(definitions_client.list(scope, "roleName eq '{}'".format(role)))

I'll internally discuss with RBAC team on this.

@jiasli jiasli changed the title use "filter" to limit the results returned by az role definition --name use "filter" to limit the results returned by az role definition list --name Dec 27, 2024
@jiasli jiasli mentioned this issue Dec 30, 2024
Merged
@jiasli jiasli changed the title use "filter" to limit the results returned by az role definition list --name Use roleName filter to limit the results returned by az role definition list --name Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that RBAC az role
Projects
None yet
Milestone
Backlog
3 participants
@kewalaka @jiasli @yonzhan