RBAC commands not using Python SDK models correctly

TheOnlyWei commented 1 year ago

Command Name az role assignment create

Describe the bug This issue is related to this one I filed for azure-sdk-for-python: https://github.com/Azure/azure-sdk-for-python/issues/30256

This comment from Azure Python SDK team says Azure CLI is not using Python SDK model correctly for az role assignment create commands (and possibly other commands, but I am only aware of this command currently): https://github.com/Azure/azure-sdk-for-python/issues/30256#issuecomment-1537036568

For example, in the following code: https://github.com/Azure/azure-cli/blob/57b3fe1f115e4a32a4ef0c6bbf2c31e3d0588a33/src/azure-cli/azure/cli/command_modules/role/_multi_api_adaptor.py#L53

Python Azure SDK team from the above linked comment says the call for RoleAssignmentCreateParameters for an old API such as 2015-07-01 should look like the following instead:

        parameters = RoleAssignmentCreateParameters(
            properties=RoleAssignmentProperties(role_definition_id=role_id, principal_id=object_id, 
            principal_type=assignee_principal_type, description=description, condition=condition,
            condition_version=condition_version)
        )

For reference, this is the ResourceType.MGMT_AUTHORIZATION SDK profile currently in the Azure CLI code: https://github.com/Azure/azure-cli/blob/57b3fe1f115e4a32a4ef0c6bbf2c31e3d0588a33/src/azure-cli-core/azure/cli/core/profiles/_shared.py#L287

The Microsoft.Authorization 2015-07-01 API version contract: https://github.com/Azure/azure-rest-api-specs/tree/main/specification/authorization/resource-manager/Microsoft.Authorization/stable/2015-07-01

Note that this issue was discovered on Azure Stack Hub AAD environment. I tested the same commands on an ADFS environment and did not run into this issue, so there are likely diverging code flows between AAD and ADFS environments for the commands related to this issue.

Errors:

PS C:\Users\Administrator.RP0103-DVM> az role assignment create --assignee-object-id $objectId `
>> --role "owner" `
>> --scope "/subscriptions/${subscriptionId}/resourceGroups/rbactestrg" `
>> --debug
cli.knack.cli: Command arguments: ['role', 'assignment', 'create', '--assignee-object-id', 'c1631a0d-d1c7-404b-b0c1-77fa7612b213', '--role', 'owner', '--scope', '/subscriptions/29dfa652-0b6f-4a07-82c1-cdb6065433d4/resourceGroups/rbactestrg', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0167A460>, <function OutputProducer.on_global_arguments at 0x01748BF8>, <function CLIQuery.on_global_arguments at 0x01766850>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'role': ['azure.cli.command_modules.role']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: role                      0.008        17        60
cli.azure.cli.core: Total (1)                 0.008        17        60
cli.azure.cli.core: Loaded 17 groups, 60 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : role assignment create
cli.azure.cli.core: Command table: role assignment create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03A5A460>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\Administrator.RP0103-DVM\.azure\commands\2023-05-04.05-13-16.role_assignment_create.13156.log'.
az_command_data_logger: command args: role assignment create --assignee-object-id {} --role {} --scope {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x03A6C808>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x03A90730>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x03A90970>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x01748C40>, <function CLIQuery.handle_query_parameter at 0x01766898>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x03A90928>]
cli.azure.cli.command_modules.role.custom: RBAC service might reject creating role assignment without --assignee-principal-type in the future. Better to specify --assignee-principal-type manually.
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\Administrator.RP0103-DVM\\.azure\\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\Administrator.RP0103-DVM\.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://graph.microsoft.com/.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 58c13d68-9350-4ddc-9d07-01be2ddb7ca5
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/directoryObjects/getByIds'
cli.azure.cli.core.util: Request method: 'POST'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util:     'User-Agent': 'python/3.10.10 (Windows-10-10.0.17763-SP0) AZURECLI/2.48.1 (MSI)'
cli.azure.cli.core.util:     'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util:     'Accept': '*/*'
cli.azure.cli.core.util:     'Connection': 'keep-alive'
cli.azure.cli.core.util:     'x-ms-client-request-id': '1c3ec375-52cb-40aa-b098-b97e1080574e'
cli.azure.cli.core.util:     'Content-Type': 'application/json'
cli.azure.cli.core.util:     'CommandName': 'role assignment create'
cli.azure.cli.core.util:     'ParameterSetName': '--assignee-object-id --role --scope --debug'
cli.azure.cli.core.util:     'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util:     'Content-Length': '132'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: {"ids": ["c1631a0d-d1c7-404b-b0c1-77fa7612b213"], "types": ["user", "group", "servicePrincipal", "directoryObjectPartnerReference"]}
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "POST /v1.0/directoryObjects/getByIds HTTP/1.1" 200 None
cli.azure.cli.core.util: Response status: 200
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util:     'Cache-Control': 'no-cache'
cli.azure.cli.core.util:     'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util:     'Content-Type': 'application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8'
cli.azure.cli.core.util:     'Content-Encoding': 'gzip'
cli.azure.cli.core.util:     'Location': 'https://graph.microsoft.com'
cli.azure.cli.core.util:     'Vary': 'Accept-Encoding'
cli.azure.cli.core.util:     'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util:     'request-id': '77dd42a5-9491-4870-8757-4525f940c628'
cli.azure.cli.core.util:     'client-request-id': '77dd42a5-9491-4870-8757-4525f940c628'
cli.azure.cli.core.util:     'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"West Central US","Slice":"E","Ring":"1","ScaleUnit":"000","RoleInstance":"CY4PEPF0000AB2D"}}'
cli.azure.cli.core.util:     'x-ms-resource-unit': '3'
cli.azure.cli.core.util:     'OData-Version': '4.0'
cli.azure.cli.core.util:     'Date': 'Thu, 04 May 2023 05:13:16 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#directoryObjects","value":[{"@odata.type":"#microsoft.graph.user","id":"c1631a0d-d1c7-404b-b0c1-77fa7612b213","businessPhones":[],"displayName":"Tenant Admin1","givenName":"Tenant","jobTitle":null,"mail":null,"mobilePhone":null,"officeLocation":null,"preferredLanguage":null,"surname":"Admin","userPrincipalName":"tenantadmin1_msazurestack.onmicrosoft.com#EXT#@azurestackci15.onmicrosoft.com"}]}
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=AuthorizationManagementClient
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.azurestackci15.onmicrosoft.com/e338c37e-ea97-4a24-87d1-676bcf5b5eb8/.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.azurestackci15.onmicrosoft.com/e338c37e-ea97-4a24-87d1-676bcf5b5eb8/.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: ee2f646e-795d-4b68-8281-9261a715d468
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.redmond.ext-rp0103.masd.stbtest.microsoft.com/subscriptions/29dfa652-0b6f-4a07-82c1-cdb6065433d4/resourceGroups/rbactestrg/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName%20eq%20%27owner%27&api-version=2015-07-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '6026c7dd-ea3a-11ed-97e8-00155d14fed4'
cli.azure.cli.core.sdk.policies:     'CommandName': 'role assignment create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--assignee-object-id --role --scope --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.48.1 (MSI) azsdk-python-azure-mgmt-authorization/3.0.0 Python/3.10.10 (Windows-10-10.0.17763-SP0)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.redmond.ext-rp0103.masd.stbtest.microsoft.com:443
urllib3.connectionpool: https://management.redmond.ext-rp0103.masd.stbtest.microsoft.com:443 "GET /subscriptions/29dfa652-0b6f-4a07-82c1-cdb6065433d4/resourceGroups/rbactestrg/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName%20eq%20%27owner%27&api-version=2015-07-01 HTTP/1.1" 200 579
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '579'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '00000000-0000-0000-0000-000000000000'
cli.azure.cli.core.sdk.policies:     'x-ms-gateway-ESMET': 'DLT=0;PAS=6;DPT=4;GPT=0;SPT=0'
cli.azure.cli.core.sdk.policies:     'x-ms-gateway-ESDIM': 'Result=S;RT=GetRoleDefinitionSubscriptionsPath;R=pasfe;RI=onebox;SC=OK;SliceKind=Test;Version=2.1.7550.2;FE=;RS=Unspecified;AuthFailReason=Unknown;LPSS=0;MPS=Master;DLOT=GRDS;UF=0;LEUT=0'
cli.azure.cli.core.sdk.policies:     'x-ms-gateway-service-instanceid': 'onebox'
cli.azure.cli.core.sdk.policies:     'xtn': '5bxkHjuf3UqL6OVQ4FAU0A=='
cli.azure.cli.core.sdk.policies:     'xtf': '0'
cli.azure.cli.core.sdk.policies:     'xsc': '1'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'Server': 'Microsoft-IIS/10.0'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-reads': '14998'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '3e5936c1-8904-4077-a06b-017e6d739767'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'REDMOND:20230504T051316Z:3e5936c1-8904-4077-a06b-017e6d739767'
cli.azure.cli.core.sdk.policies:     'Date': 'Thu, 04 May 2023 05:13:16 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"value":[{"properties":{"roleName":"Owner","type":"BuiltInRole","description":"Lets you manage everything, including access to resources.","assignableScopes":["/"],"permissions":[{"actions":["*"],"notActions":[]}],"createdOn":"0001-01-01T00:00:00.0000000Z","updatedOn":"0001-01-01T00:00:00.0000000Z","createdBy":null,"updatedBy":null},"id":"/subscriptions/29dfa652-0b6f-4a07-82c1-cdb6065433d4/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635","type":"Microsoft.Authorization/roleDefinitions","name":"8e3af657-a8ff-443c-a75c-2fe8c4bcb635"}]}
azure.mgmt.authorization._serialization: principal_type is not a known attribute of class <class 'azure.mgmt.authorization.v2015_07_01.models._models_py3.RoleAssignmentProperties'> and will be ignored
azure.mgmt.authorization._serialization: description is not a known attribute of class <class 'azure.mgmt.authorization.v2015_07_01.models._models_py3.RoleAssignmentProperties'> and will be ignored
azure.mgmt.authorization._serialization: condition is not a known attribute of class <class 'azure.mgmt.authorization.v2015_07_01.models._models_py3.RoleAssignmentProperties'> and will be ignored
azure.mgmt.authorization._serialization: condition_version is not a known attribute of class <class 'azure.mgmt.authorization.v2015_07_01.models._models_py3.RoleAssignmentProperties'> and will be ignored
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.redmond.ext-rp0103.masd.stbtest.microsoft.com/subscriptions/29dfa652-0b6f-4a07-82c1-cdb6065433d4/resourceGroups/rbactestrg/providers/Microsoft.Authorization/roleAssignments/2631c858-0b31-4b36-bd27-61ee6d353fe2?api-version=2015-07-01'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '217'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '6026c7dd-ea3a-11ed-97e8-00155d14fed4'
cli.azure.cli.core.sdk.policies:     'CommandName': 'role assignment create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--assignee-object-id --role --scope --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.48.1 (MSI) azsdk-python-azure-mgmt-authorization/3.0.0 Python/3.10.10 (Windows-10-10.0.17763-SP0)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"roleDefinitionId": "/subscriptions/29dfa652-0b6f-4a07-82c1-cdb6065433d4/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", "principalId": "c1631a0d-d1c7-404b-b0c1-77fa7612b213"}
urllib3.connectionpool: https://management.redmond.ext-rp0103.masd.stbtest.microsoft.com:443 "PUT /subscriptions/29dfa652-0b6f-4a07-82c1-cdb6065433d4/resourceGroups/rbactestrg/providers/Microsoft.Authorization/roleAssignments/2631c858-0b31-4b36-bd27-61ee6d353fe2?api-version=2015-07-01 HTTP/1.1" 400 105
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '105'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '00000000-0000-0000-0000-000000000000'
cli.azure.cli.core.sdk.policies:     'x-ms-gateway-ESMET': 'DLT=0;PAS=3;DPT=0;GPT=0;SPT=0'
cli.azure.cli.core.sdk.policies:     'x-ms-gateway-ESDIM': 'Result=UE;RT=PutRoleAssignmentSubscriptionsPath;R=pasfe;RI=onebox;SC=BadRequest;SliceKind=Test;Version=2.1.7550.2;FE=;RS=Unspecified;AuthFailReason=Unknown;MPS=Master;DLOT=NONE;UF=0;LEUT=0'
cli.azure.cli.core.sdk.policies:     'x-ms-gateway-service-instanceid': 'onebox'
cli.azure.cli.core.sdk.policies:     'xtn': '5bxkHjuf3UqL6OVQ4FAU0A=='
cli.azure.cli.core.sdk.policies:     'xtf': '0'
cli.azure.cli.core.sdk.policies:     'xsc': '15'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'Server': 'Microsoft-IIS/10.0'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-writes': '1198'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '81331d9a-281a-4c19-9bf9-59ad19bab4c0'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'REDMOND:20230504T051317Z:81331d9a-281a-4c19-9bf9-59ad19bab4c0'
cli.azure.cli.core.sdk.policies:     'Date': 'Thu, 04 May 2023 05:13:16 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"MalformedRoleAssignmentRequest","message":"PASRP RoleAssignment request is malformed"}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 663, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 697, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 333, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 186, in create_role_assignment
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 210, in _create_role_assignment
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_multi_api_adaptor.py", line 57, in create_role_assignment
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 78, in wrapper_use_tracer
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/authorization/v2015_07_01/operations/_role_assignments_operations.py", line 738, in create
azure.core.exceptions.HttpResponseError: (MalformedRoleAssignmentRequest) PASRP RoleAssignment request is malformed
Code: MalformedRoleAssignmentRequest
Message: PASRP RoleAssignment request is malformed

cli.azure.cli.core.azclierror: (MalformedRoleAssignmentRequest) PASRP RoleAssignment request is malformed
Code: MalformedRoleAssignmentRequest
Message: PASRP RoleAssignment request is malformed
az_command_data_logger: (MalformedRoleAssignmentRequest) PASRP RoleAssignment request is malformed
Code: MalformedRoleAssignmentRequest
Message: PASRP RoleAssignment request is malformed
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03A5A580>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 1.557 seconds (init: 0.406, invoke: 1.151)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3599 in cache
telemetry.check: Negative: The C:\Users\Administrator.RP0103-DVM\.azure\telemetry.txt was modified at 2023-05-04 05:12:05.087529, which in less than 600.000000 s

To Reproduce Example step to reproduce one of the issues:

Register Azure CLI cloud against 2020-09-01-hybrid profile. PowerShell example:

$configProperties = @{
endpoints = @{
    microsoftGraphResourceId = "..."
    resourceManager = "..."
    vmImageAliasDoc = "..."
}
profile = "2020-09-01-hybrid"
suffixes = @{
    storageEndpoint = "..."
    keyvaultDns = "..."
}
}
$configProperties | ConvertTo-Json | Out-File -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "config.json")
az cloud register --name "myAzureStackHubEnv" --cloud-config `@"config.json"

Set Azure CLI cloud to the profile registered in step 1 and log in.
Run an az role assignment create command.

Expected behavior Should not throw an error.

Environment summary

azure-cli                         2.48.1
core                              2.48.1
telemetry                          1.0.8
Dependencies:
msal                              1.20.0
azure-mgmt-resource               22.0.0

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\Administrator.N35R0804-DVM\.azure\cliextensions'
Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb  7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]

yonzhan commented 1 year ago

Thank you for opening this issue, we will look into it.

msyyc commented 1 year ago

just for reference: https://github.com/Azure/azure-sdk-for-python/issues/30256#issuecomment-1537036568

jiasli commented 1 year ago

I am able to repo by running following commands:

> az cloud set --name azurecloud --profile 2020-09-01-hybrid
> az role assignment create --assignee-object-id 7a938a30-4226-420e-996f-4d48bca6d537 --scope /subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590 --role reader --debug
Message: PASRP RoleAssignment request is malformed
az_command_data_logger: (MalformedRoleAssignmentRequest) PASRP RoleAssignment request is malformed

The difference in SDK models from different API versions comes from different x-ms-client-flatten definition.

In 2015-07-01, properties is not flattened, so RoleAssignmentProperties is exposed in the SDK:

https://github.com/Azure/azure-rest-api-specs/blob/da459cd725e11aa72e7fbc3b65d523b6e2b6453b/specification/authorization/resource-manager/Microsoft.Authorization/stable/2015-07-01/authorization-RoleAssignmentsCalls.json#L634

    "RoleAssignmentCreateParameters": {
      "properties": {
        "properties": {
          "$ref": "#/definitions/RoleAssignmentProperties",
          "description": "Role assignment properties."
        }
      },

But in 2022-04-01, properties is flattened, so RoleAssignmentProperties is not exposed in the SDK:

https://github.com/Azure/azure-rest-api-specs/blob/e7e775e2f3fe00f25fbd0e7ca0d953e22eef93ff/specification/authorization/resource-manager/Microsoft.Authorization/stable/2022-04-01/authorization-RoleAssignmentsCalls.json#L663

    "RoleAssignmentCreateParameters": {
      "properties": {
        "properties": {
          "x-ms-client-flatten": true,
          "$ref": "#/definitions/RoleAssignmentProperties",
          "description": "Role assignment properties."
        }
      },

Considering following calling pattern:

    parameters                            properties                      attributes
create ----> RoleAssignmentCreateParameters ----> RoleAssignmentProperties  ----> roleDefinitionId, principalId

In Track 1 SDK, RoleAssignmentProperties is directly passed into create method via properties arg. (parameters is flattened out by code-gen.)

    def create(
            self, scope, role_assignment_name, properties, custom_headers=None, raw=False, **operation_config):

        :param properties: Role assignment properties.
        :type properties:
         ~azure.mgmt.authorization.v2015_07_01.models.RoleAssignmentProperties

However, in Track 2 SDK and newer API versions, RoleAssignmentCreateParameters is passed into create method via parameters arg. (properties is flattened out by the model.)

    def create(
        self,
        scope: str,
        role_assignment_name: str,
        parameters: Union[_models.RoleAssignmentCreateParameters, IO],
        **kwargs: Any
    ) -> _models.RoleAssignment:

This is due to a behavior change in very old versions of code-gen: If RoleAssignmentCreateParameters contains only a few attributes, then these attributes are flattened into the method. In this case, RoleAssignmentCreateParameters only has one attribute - properties, so properties is extracted to the create method. Later on, code-gen dropped this behavior and preserves parameters as is. Meanwhile, newer API flattens RoleAssignmentProperties but 2015-07-01 doesn’t.

This breaking change in create's calling pattern causes this failure during azure-mgmt-authorization's Track2 migration: https://github.com/Azure/azure-cli/pull/25452.

We explicitly called out in our public doc that the latest az role and az ad command groups no longer work with Azure Stack: https://learn.microsoft.com/en-us/cli/azure/microsoft-graph-migration#known-issues

Microsoft Graph related commands like az ad and az role will fail in Azure Stack environments which don't have Microsoft Graph support. Please use Azure CLI 2.36.0 or earlier versions for Azure Stack environments.

Azure / azure-cli

RBAC commands not using Python SDK models correctly #26362