Azure-Samples / azure-search-openai-demo

A sample app for the Retrieval-Augmented Generation pattern running in Azure, using Azure AI Search for retrieval and Azure OpenAI large language models to power ChatGPT-style and Q&A experiences.
https://azure.microsoft.com/products/search
MIT License
6.27k stars 4.2k forks source link

Example requires owner level access to the subscription #460

Closed davidwboyd closed 1 year ago

davidwboyd commented 1 year ago

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [X ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Run the example setup with less than ownership level rights. Currently I only have contributor rights in the subscription. The main.bicep file has the permission requests which cause the issue. If I comment out those permissions the deployment succeeds but the upload of the documents failed.

Any log messages given by the failure

The template deployment failed with error: 'Authorization failed for template resource '8f70606d-7739-500f-80cf-cc2ae5c8cffd' of type 'Microsoft.Authorization/roleAssignments'. The client 'david.boyd@xatorcorp.com' with object id '402abf32-d03e-46f6-b89f-89aaa980d017' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/ea2b90c6-7ccd-4434-9079-4cc4278e1fb7/resourceGroups/rg-BPOakland/providers/Microsoft.Authorization/roleAssignments/8f70606d-7739-500f-80cf-cc2ae5c8cffd'.'. (Code: InvalidTemplateDeployment)

If the bicep sections with role grants are commented out the upload fails as follows: Processing files... Processing 'C:\Users\dboyd\Documents\BPOakland/data\11009 First Quarter 2020 Groundwater Monitoring and Status Report.PDF' Uploading blob for page 0 -> 11009 First Quarter 2020 Groundwater Monitoring and Status Report-0.pdf Traceback (most recent call last): File "C:\Users\dboyd\Documents\BPOakland\scripts\prepdocs.py", line 364, in upload_blobs(filename) File "C:\Users\dboyd\Documents\BPOakland\scripts\prepdocs.py", line 49, in upload_blobs blob_container.upload_blob(blob_name, f, overwrite=True) File "C:\Users\dboyd\Documents\BPOakland\scripts.venv\lib\site-packages\azure\core\tracing\decorator.py", line 76, in wrapper_use_tracer return func(*args, *kwargs) File "C:\Users\dboyd\Documents\BPOakland\scripts.venv\lib\site-packages\azure\storage\blob_container_client.py", line 1038, in upload_blob blob.upload_blob( File "C:\Users\dboyd\Documents\BPOakland\scripts.venv\lib\site-packages\azure\core\tracing\decorator.py", line 76, in wrapper_use_tracer return func(args, kwargs) File "C:\Users\dboyd\Documents\BPOakland\scripts.venv\lib\site-packages\azure\storage\blob_blob_client.py", line 742, in upload_blob return upload_block_blob(options) File "C:\Users\dboyd\Documents\BPOakland\scripts.venv\lib\site-packages\azure\storage\blob_upload_helpers.py", line 197, in upload_block_blob process_storage_error(error) File "C:\Users\dboyd\Documents\BPOakland\scripts.venv\lib\site-packages\azure\storage\blob_shared\response_handlers.py", line 185, in process_storage_error exec("raise error from None") # pylint: disable=exec-used # nosec File "", line 1, in azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation using this permission.RequestId:828fc72b-801e-00d9-586c-bf27d8000000 Time:2023-07-26T02:53:26.2749484Z ErrorCode:AuthorizationPermissionMismatch Content: <?xml version="1.0" encoding="utf-8"?>AuthorizationPermissionMismatchThis request is not authorized to perform this operation using this permission. RequestId:828fc72b-801e-00d9-586c-bf27d8000000 Time:2023-07-26T02:53:26.2749484Z

Expected/desired behavior

Deployment works for a user with only contributor level role.

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?) Windows 10 is my laptop.

azd version?

run azd version and copy paste here. azd version 1.1.0 (commit ea9cb12575734ee6a5f99c4d415c1a51d6f32d3e)

Versions

Mention any other details that might be useful


Thanks! We'll be in touch soon.

pamelafox commented 1 year ago

@davidwboyd Thanks for filing. This is discussed quite a bit in https://github.com/Azure-Samples/azure-search-openai-demo/issues/460 so I'm going to rename that issue for clarity and close this issue. Please look at the suggestions in that thread to see if any workarounds will work for you (it's possible they won't, depending on your permissions).

davidwboyd commented 1 year ago

@pamelafox - So you said this was discussed in #460 but I think that is this ticket as the link takes me right to this ticket. Can you please provide the correct ticket where this is discussed?

pamelafox commented 1 year ago

Apologies! https://github.com/Azure-Samples/azure-search-openai-demo/issues/4 is the correct issue