search

Azure-Samples / azure-search-openai-demo

A sample app for the Retrieval-Augmented Generation pattern running in Azure, using Azure AI Search for retrieval and Azure OpenAI large language models to power ChatGPT-style and Q&A experiences.
https://azure.microsoft.com/products/search
MIT License
5.94k stars 4.08k forks source link

Permissions, endpoint security and prepdocs.ps1 #1795

Open IainD925 opened 2 months ago

IainD925 commented 2 months ago

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Application deployed via VM over Bastion. If Storage Account endpoint security is Public, prepdocs.ps1 runs fine. Switch endpoint to Service Endpoint or PE and run prepdocs.ps1 you get AuthorizationFailure "This request is not authorized to perform this operation." When Storage Account networking set to Service Endpoint and with IP of VM whitelisted you still cannot browse Containers via Azure portal - suspect Bastion issue here.

Any log messages given by the failure

Traceback (most recent call last): File "C:\AI_RAG\app\backend\prepdocs.py", line 479, in <module> loop.run_until_complete(main(ingestion_strategy, setup_index=not args.remove and not args.removeall)) File "C:\Users\myaccount\AppData\Local\Programs\Python\Python311\Lib\asyncio\base_events.py", line 654, in run_until_complete return future.result() ^^^^^^^^^^^^^^^ File "C:\AI_RAG\app\backend\prepdocs.py", line 215, in main await strategy.run() File "C:\AI_RAG\app\backend\prepdocslib\filestrategy.py", line 86, in run blob_sas_uris = await self.blob_manager.upload_blob(file) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\AI_RAG\app\backend\prepdocslib\blobmanager.py", line 52, in upload_blob if not await container_client.exists(): ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\AI_RAG\.venv\Lib\site-packages\azure\core\tracing\decorator_async.py", line 94, in wrapper_use_tracer return await func(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\AI_RAG\.venv\Lib\site-packages\azure\storage\blob\aio\_container_client_async.py", line 429, in exists process_storage_error(error) File "C:\AI_RAG\.venv\Lib\site-packages\azure\storage\blob\_shared\response_handlers.py", line 182, in process_storage_error exec("raise error from None") # pylint: disable=exec-used # nosec ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "<string>", line 1, in <module> azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation.

Expected/desired behavior

Endpoint security should not impact access to storage account when Private Endpoint in place or when Service Endpoint with firewall rule for local machine is in place.

OS and Version?

Windows Server 2022 (Cloud VM)

azd version?

azd version 1.9.4 (commit 60d7a770c73289e303a539babf5965e638843227)

Versions

Mention any other details that might be useful

Thanks! We'll be in touch soon.