search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.98k stars 2.96k forks source link

"az extension add" hangs in azure devops CI pipelines when the PAT token for a pip source is revoked. #18951

Open thy09 opened 3 years ago

thy09 commented 3 years ago

Describe the bug Scenario: We are building extensions for azure cli. We install the extension in our CI pipeline for testing. To install some internal packages, we use a pip connection with a PAT token to enable extra index urls.

Problem: When the PAT token of the pip connection is revoked (it could be auto revoked at some time.) The "az extension add" command will hang when running the pip install command. See the log:

DEBUG: cli.azure.cli.core.extension.operations: Running: ['C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe', '-m', 'pip', 'install', '--target', 'C:\Program Files\Common Files\AzureCliExtensionDirectory\xxx', 'C:\Users\VSSADM~1\AppData\Local\Temp\tmph4df1miu\xxx-py3-none-any.whl', '--extra-index-url', 'https://xxxx', '-vv', '--disable-pip-version-check', '--no-cache-dir']

[error]The operation was canceled.

While if I directly use "pip install" to install the same thing, only a warning "Credentials not correct for https://xxx" is printed, the installation still works.

To Reproduce

  1. Create a pip feed in devops, see this reference
  2. Create a pip connection in the devops project with a PAT token;
  3. Add a pipeline to the devops project with a pip authentication step and an az extension add step; 
    steps:
- task: PipAuthenticate@1
inputs:
pythonDownloadServiceConnections: xxxx
onlyAddExtraIndex: True
- task: AzureCLI@2
inputs:
azureSubscription: xxxx
scriptLocation: inlineScript
scriptType: pscore
inlineScript: |
  cd $(Build.SourcesDirectory)
  az extension add xxxxx
workingDirectory: $(DIRECTORY)
  4. Revoke the PAT token;
  5. Trigger the pipeline;

Expected behavior No hanging, either failing fast or ignoring the unauthorized index are acceptable.

Environment summary AzureCLI@2 task in azure pipelines

ghost commented 3 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @narula0781, @ashishonce, @romil07.

Issue Details
**Describe the bug** **Scenario:** We are building extensions for azure cli. We install the extension in our CI pipeline for testing. To install some internal packages, we use a **pip connection** with a PAT token to enable extra index urls. **Problem:** When the PAT token of the pip connection is revoked (it could be auto revoked at some time.) The "az extension add" command will hang when running the pip install command. See the log: > DEBUG: cli.azure.cli.core.extension.operations: Running: ['C:\\Program Files (x86)\\Microsoft SDKs\\Azure\\CLI2\\python.exe', '-m', 'pip', 'install', '--target', 'C:\\Program Files\\Common Files\\AzureCliExtensionDirectory\\xxx', 'C:\\Users\\VSSADM~1\\AppData\\Local\\Temp\\tmph4df1miu\\xxx-py3-none-any.whl', '--extra-index-url', 'https://xxxx', '-vv', '--disable-pip-version-check', '--no-cache-dir'] ##[error]The operation was canceled. While if I directly use "pip install" to install the same thing, only a warning "Credentials not correct for https://xxx" is printed, the installation still works. **To Reproduce** 1. Create a pip feed in devops, see [this reference](https://docs.microsoft.com/en-us/azure/devops/artifacts/quickstarts/python-packages?view=azure-devops) 2. Create a pip connection in the devops project with a PAT token; 3. Add a pipeline to the devops project with a pip authentication step and an az extension add step; ```yaml steps: - task: PipAuthenticate@1 inputs: pythonDownloadServiceConnections: xxxx onlyAddExtraIndex: True - task: AzureCLI@2 inputs: azureSubscription: xxxx scriptLocation: inlineScript scriptType: pscore inlineScript: | cd $(Build.SourcesDirectory) az extension add xxxxx workingDirectory: $(DIRECTORY) ``` 4. Revoke the PAT token; 5. Trigger the pipeline; **Expected behavior** No hanging, either failing fast or ignoring the unauthorized index are acceptable. **Environment summary** AzureCLI@2 task in azure pipelines
Author: thy09
Assignees: -
Labels: `DevOps`, `Service Attention`, `needs-triage`
Milestone: -
yonzhan commented 3 years ago

route to service team

jiasli commented 3 years ago

Before I do more investigation on the ADO pip feed, the doc confuses me

https://docs.microsoft.com/en-us/azure/devops/artifacts/quickstarts/python-packages?view=azure-devops#connect-to-feed

Manually set up credentials for pip.ini/pip.conf for pushes, and .pypirc for pulls with a personal access token (PAT).

Isn't pip.ini/pip.conf used for pip to pull packages and .pypirc used for twine or flit to upload (push) packages?

@thy09, is the PAT retrieved from pip.ini/pip.conf? Could you share the pip.ini/pip.conf content with PAT redacted?

thy09 commented 3 years ago

Hi @jiasli The doc you mentioned is about manually connect to the feed. In devops, we only need to do the following:

Get a PAT token from here in devops: image

Then pip connection is created here: image

Then create the connection: image

jiasli commented 3 years ago

I prefer to make this issue as a feature request and put it in our backlog, as az extension add with a PAT for pip is a very rare use case and not officially supported.

If you can help identify the root cause and submit a PR, we will mostly appreciate it.