def create_role_definition(role_definition):
role_id = uuid.uuid4()
if os.path.exists(role_definition):
role_definition = get_file_json(role_definition)
else:
role_definition = json.loads(role_definition)
#to workaround service defects, ensure property names are camel case
names = [p for p in role_definition if p[:1].isupper()]
for n in names:
new_name = n[:1].lower() + n[1:]
role_definition[new_name] = role_definition.pop(n)
if not 'name' in role_definition:
raise CLIError("please provide 'name'")
if not 'assignableScopes' in role_definition:
raise CLIError("please provide 'assignableScopes'")
permission = Permission(actions=role_definition.get('actions', None),
not_actions=role_definition.get('notActions', None))
properties = RoleDefinitionProperties(role_name=role_definition['name'],
description=role_definition.get('description', None),
type=_CUSTOM_RULE,
assignable_scopes=role_definition['assignableScopes'],
permissions=[permission])
definition = RoleDefinition(name=role_id, properties=properties)
definitions_client = _auth_client_factory().role_definitions
return definitions_client.create_or_update(role_definition_id=role_id,
scope=properties.assignable_scopes[0],
role_definition=definition)
def _create_update_role_definition(cli_ctx, role_definition, for_update):
definitions_client = _auth_client_factory(cli_ctx).role_definitions
if os.path.exists(role_definition):
role_definition = get_file_json(role_definition)
else:
role_definition = shell_safe_json_parse(role_definition)
# to workaround service defects, ensure property names are camel case
names = [p for p in role_definition if p[:1].isupper()]
for n in names:
new_name = n[:1].lower() + n[1:]
role_definition[new_name] = role_definition.pop(n)
role_name = role_definition.get('name', None)
if not role_name:
raise CLIError("please provide role name")
if for_update: # for update, we need to use guid style unique name
scopes_in_definition = role_definition.get('assignableScopes', None)
scope = (scopes_in_definition[0] if scopes_in_definition else
'/subscriptions/' + definitions_client.config.subscription_id)
matched = _search_role_definitions(definitions_client, role_name,
scope)
if len(matched) != 1:
raise CLIError(
'Please provide the unique logic name of an existing role')
role_definition['name'] = matched[0].name
# ensure correct logical name and guid name. For update we accept both
role_name = matched[0].properties.role_name
role_id = matched[0].name
else:
role_id = _gen_guid()
if not for_update and 'assignableScopes' not in role_definition:
raise CLIError("please provide 'assignableScopes'")
permission = Permission(actions=role_definition.get('actions', None),
not_actions=role_definition.get(
'notActions', None))
properties = RoleDefinitionProperties(
role_name=role_name,
description=role_definition.get('description', None),
type=_CUSTOM_RULE,
assignable_scopes=role_definition['assignableScopes'],
permissions=[permission])
definition = RoleDefinition(name=role_id, properties=properties)
return definitions_client.create_or_update(
role_definition_id=role_id,
scope=properties.assignable_scopes[0],
role_definition=definition)
def create_policy_definition(self, role_name, rules):
# Get "Contributor" built-in role as a RoleDefinition object
roles = self.get_azure_policy(role_name)
if len(roles):
print(f"Role {role_name} already exists")
return
role_id = uuid.uuid4()
permission = Permission(actions=rules['Actions'],
not_actions=rules['NotActions'],
data_actions=rules['DataActions'])
properties = RoleDefinitionProperties(
role_name=role_name,
description=rules['Description'],
type='CustomRole',
assignable_scopes=rules['AssignableScopes'],
permissions=[permission])
definition = CustomRoleDefinition(
id=role_id,
name=rules['Name'],
role_name=role_name,
description=rules['Description'],
role_type='CustomRole',
permissions=[permission],
assignable_scopes=rules['AssignableScopes'])
result = self.authorization_client.role_definitions.create_or_update(
role_definition_id=role_id,
scope=properties.assignable_scopes[0],
role_definition=definition)
if result is not None:
print(f"Successfully created role {role_name}")
else:
print(f"Failed to create role {role_name}")
