def list_role_assignments(cmd, assignee_object_id, scope=None):
'''
:param include_groups: include extra assignments to the groups of which the user is a
member(transitively).
'''
graph_client = _graph_client_factory(cmd.cli_ctx)
factory = _auth_client_factory(cmd.cli_ctx)
assignments_client = factory.role_assignments
definitions_client = factory.role_definitions
assignments = _search_role_assignments(assignments_client,
assignee_object_id)
subscription_id = get_subscription_id(cmd.cli_ctx)
results = todict(assignments) if assignments else []
if not results:
return []
# 1. fill in logic names to get things understandable.
# (it's possible that associated roles and principals were deleted, and we just do nothing.)
# 2. fill in role names
role_defs = list(
definitions_client.list(scope=(scope if scope else '/subscriptions/' +
subscription_id)))
role_dics = {i.id: i.role_name for i in role_defs}
for i in results:
if role_dics.get(i['roleDefinitionId']):
i['roleDefinitionName'] = role_dics[i['roleDefinitionId']]
# fill in principal names
principal_ids = set(i['principalId'] for i in results if i['principalId'])
if principal_ids:
try:
principals = _get_object_stubs(graph_client, principal_ids)
principal_dics = {
i.object_id: _get_displayable_name(i)
for i in principals
}
for i in [r for r in results if not r.get('principalName')]:
i['principalName'] = ''
if principal_dics.get(i['principalId']):
i['principalName'] = principal_dics[i['principalId']]
except (HttpResponseError, GraphErrorException) as ex:
# failure on resolving principal due to graph permission should not fail the whole thing
logger.info(
"Failed to resolve graph object information per error '%s'",
ex)
return results
def _create_role_assignment(cli_ctx, role, assignee_object_id, scope):
factory = _auth_client_factory(cli_ctx, scope)
assignments_client = factory.role_assignments
definitions_client = factory.role_definitions
scope = '/subscriptions/' + assignments_client.config.subscription_id
role_id = _resolve_role_id(role, scope, definitions_client)
from azure.mgmt.authorization.models import RoleAssignmentCreateParameters
parameters = RoleAssignmentCreateParameters(role_definition_id=role_id, principal_id=assignee_object_id)
return assignments_client.create(scope=scope,
role_assignment_name=_gen_guid(),
parameters=parameters)
def _create_role_assignment(cli_ctx, role, assignee_object_id, scope):
factory = _auth_client_factory(cli_ctx, scope)
assignments_client = factory.role_assignments
definitions_client = factory.role_definitions
scope = '/subscriptions/' + assignments_client.config.subscription_id
role_id = _resolve_role_id(role, scope, definitions_client)
from azure.mgmt.authorization.models import RoleAssignmentCreateParameters
parameters = RoleAssignmentCreateParameters(
role_definition_id=role_id, principal_id=assignee_object_id)
return assignments_client.create(scope=scope,
role_assignment_name=_gen_guid(),
parameters=parameters)
def _create_role_assignment(cli_ctx, role, assignee_object_id, scope):
from azure.cli.core.profiles import ResourceType, get_sdk
factory = _auth_client_factory(cli_ctx, scope)
assignments_client = factory.role_assignments
definitions_client = factory.role_definitions
role_id = _resolve_role_id(role, scope, definitions_client)
RoleAssignmentCreateParameters = get_sdk(cli_ctx, ResourceType.MGMT_AUTHORIZATION,
'RoleAssignmentCreateParameters', mod='models',
operation_group='role_assignments')
parameters = RoleAssignmentCreateParameters(role_definition_id=role_id, principal_id=assignee_object_id)
return assignments_client.create(scope=scope,
role_assignment_name=_gen_guid(),
parameters=parameters)
def _create_role_assignment(cli_ctx, role, assignee_object_id, scope):
from azure.cli.core.profiles import ResourceType, get_sdk
factory = _auth_client_factory(cli_ctx, scope)
assignments_client = factory.role_assignments
definitions_client = factory.role_definitions
role_id = _resolve_role_id(role, scope, definitions_client)
RoleAssignmentCreateParameters = get_sdk(cli_ctx, ResourceType.MGMT_AUTHORIZATION,
'RoleAssignmentCreateParameters', mod='models',
operation_group='role_assignments')
parameters = RoleAssignmentCreateParameters(role_definition_id=role_id, principal_id=assignee_object_id)
return assignments_client.create(scope=scope,
role_assignment_name=_gen_guid(),
parameters=parameters)
def list_role_assignments(cmd, assignee_object_id, scope=None):
'''
:param include_groups: include extra assignments to the groups of which the user is a
member(transitively).
'''
graph_client = _graph_client_factory(cmd.cli_ctx)
factory = _auth_client_factory(cmd.cli_ctx)
assignments_client = factory.role_assignments
definitions_client = factory.role_definitions
assignments = _search_role_assignments(assignments_client, assignee_object_id)
results = todict(assignments) if assignments else []
if not results:
return []
# 1. fill in logic names to get things understandable.
# (it's possible that associated roles and principals were deleted, and we just do nothing.)
# 2. fill in role names
role_defs = list(definitions_client.list(
scope=(scope if scope else '/subscriptions/' + definitions_client.config.subscription_id)))
role_dics = {i.id: i.role_name for i in role_defs}
for i in results:
if role_dics.get(i['roleDefinitionId']):
i['roleDefinitionName'] = role_dics[i['roleDefinitionId']]
# fill in principal names
principal_ids = set(i['principalId'] for i in results if i['principalId'])
if principal_ids:
try:
principals = _get_object_stubs(graph_client, principal_ids)
principal_dics = {i.object_id: _get_displayable_name(i) for i in principals}
for i in [r for r in results if not r.get('principalName')]:
i['principalName'] = ''
if principal_dics.get(i['principalId']):
i['principalName'] = principal_dics[i['principalId']]
except (CloudError, GraphErrorException) as ex:
# failure on resolving principal due to graph permission should not fail the whole thing
logger.info("Failed to resolve graph object information per error '%s'", ex)
return results
def list_role_definitions(cmd):
definitions_client = _auth_client_factory(cmd.cli_ctx,
None).role_definitions
scope = '/subscriptions/' + definitions_client.config.subscription_id
return list(definitions_client.list(scope))
def list_role_definitions(cmd):
definitions_client = _auth_client_factory(cmd.cli_ctx, None).role_definitions
scope = '/subscriptions/' + definitions_client.config.subscription_id
return list(definitions_client.list(scope))
