search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.96k stars 2.94k forks source link

“az role definition delete” could not delete custom role when user only have permission on the Resource Group #28354

Open yayongwang opened 6 months ago

yayongwang commented 6 months ago

Describe the bug

When a user has permission "Microsoft.Authorization/roleDefinitions/write" only on a resource group (such as /subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/resourceGroups/kvrg), but not on the subscription level (/subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d). The user could create a custom role whose AssignableScopes is just the resource group using the command "az role definition create --role-definition test.json"

{ "Name": "TestCustomRole", "IsCustom": true, "Description": "TestCustomRole.", "Actions": [ "*/read" ], "NotActions": [], "AssignableScopes": [ "/subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/resourceGroups/kvrg" ] }

However, the user could not run ‘az role definition delete --name "TestCustomRole"’ to delete the custom role with the following error.

(AuthorizationFailed) The client 'du1@yaywang.freeddns.org' with object id '649cd015-659e-486c-8a9c-32633ec93729' does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/delete' over scope '/subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/providers/Microsoft.Authorization/roleDefinitions/fa3101bb-6f53-42b9-8b80-af362a28b7b8' or the scope is invalid. If access was recently granted, please refresh your credentials.

The az cli send the following request which return the 403 Forbidden error. DELETE https://management.azure.com/subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/providers/Microsoft.Authorization/roleDefinitions/fa3101bb-6f53-42b9-8b80-af362a28b7b8?api-version=2022-05-01-preview

In this scenario, the az cli should use scope (subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/resourceGroups/kvrg)in the REST API which could delete the custom role successfully.

DELETE https://management.azure.com/subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/resourceGroups/kvrg/providers/Microsoft.Authorization/roleDefinitions/fa3101bb-6f53-42b9-8b80-af362a28b7b8?api-version=2022-05-01-preview

Related command

az role definition delete

Errors

(AuthorizationFailed) The client 'du1@yaywang.freeddns.org' with object id '649cd015-659e-486c-8a9c-32633ec93729' does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/delete' over scope '/subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/providers/Microsoft.Authorization/roleDefinitions/fa3101bb-6f53-42b9-8b80-af362a28b7b8' or the scope is invalid. If access was recently granted, please refresh your credentials.

Issue script & Debug output

C:\t1>az role definition delete --name "TestCustomRole" --debug cli.knack.cli: Command arguments: ['role', 'definition', 'delete', '--name', 'TestCustomRole', '--debug'] cli.knack.cli: init debug log: Enable color in terminal. Enable VT mode. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x00000262FCEFF880>, <function OutputProducer.on_global_arguments at 0x00000262FD08A020>, <function CLIQuery.on_global_arguments at 0x00000262FD0B3BA0>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'role': ['azure.cli.command_modules.role'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: role 0.009 17 61 cli.azure.cli.core: Total (1) 0.009 17 61 cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next'] cli.azure.cli.core: Loading extensions: cli.azure.cli.core: Name Load Time Groups Commands Directory cli.azure.cli.core: Total (0) 0.000 0 0 cli.azure.cli.core: Loaded 17 groups, 61 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : role definition delete cli.azure.cli.core: Command table: role definition delete cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x00000262FFF6AA20>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\yaywang.FAREAST.azure\commands\2024-02-12.10-33-18.role_definition_delete.22608.log'. az_command_data_logger: command args: role definition delete --name {} --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x00000262FFF7B060>] cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x00000262FFFC4F40>, <function register_cache_arguments..add_cache_arguments at 0x00000262FFFC5080>] cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x00000262FD08A0C0>, <function CLIQuery.handle_query_parameter at 0x00000262FD0B3C40>, <function register_ids_argument..parse_ids_arguments at 0x00000262FFFC4FE0>] cli.azure.cli.core.commands.client_factory: Getting management service client client_type=AuthorizationManagementClient cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\yaywang.FAREAST\.azure\msal_token_cache.bin', encrypt=True cli.azure.cli.core.auth.binary_cache: load: C:\Users\yaywang.FAREAST.azure\msal_http_cache.bin urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/47d47722-0e17-4250-b3f1-06027074f58c/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/47d47722-0e17-4250-b3f1-06027074f58c/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/47d47722-0e17-4250-b3f1-06027074f58c/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/47d47722-0e17-4250-b3f1-06027074f58c/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/47d47722-0e17-4250-b3f1-06027074f58c/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/47d47722-0e17-4250-b3f1-06027074f58c/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/47d47722-0e17-4250-b3f1-06027074f58c/kerberos', 'tenant_region_scope': 'AS', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'} msal.application: Broker enabled? False cli.azure.cli.core._debug: Connection verification disabled by environment variable AZURE_CLI_DISABLE_CONNECTION_VERIFICATION cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={} cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={} msal.application: Cache hit an AT msal.telemetry: Generate or reuse correlation_id: 55ed6613-58ee-4557-b268-29afdec55d03 cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-05-01-preview' cli.azure.cli.core.sdk.policies: Request method: 'GET' cli.azure.cli.core.sdk.policies: Request headers: cli.azure.cli.core.sdk.policies: 'Accept': 'application/json' cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '151e2954-c94f-11ee-a815-6c24087ab4ac' cli.azure.cli.core.sdk.policies: 'CommandName': 'role definition delete' cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --debug' cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.57.0 (MSI) azsdk-python-azure-mgmt-authorization/4.0.0 Python/3.11.7 (Windows-10-10.0.22631-SP0)' cli.azure.cli.core.sdk.policies: 'Authorization': '' cli.azure.cli.core.sdk.policies: Request body: cli.azure.cli.core.sdk.policies: This request has no body urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443 D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '127.0.0.1'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-05-01-preview HTTP/1.1" 200 602070 cli.azure.cli.core.sdk.policies: Response status: 200 cli.azure.cli.core.sdk.policies: Response headers: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache' cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache' cli.azure.cli.core.sdk.policies: 'Content-Length': '602070' cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8' cli.azure.cli.core.sdk.policies: 'Expires': '-1' cli.azure.cli.core.sdk.policies: 'Set-Cookie': 'x-ms-gateway-slice=Production; path=/; secure; samesite=none; httponly' cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '5404fd88-6e93-43e0-87de-3b4f6266ca63' cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff' cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains' cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '11999' cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': 'd49a126c-56a3-4d40-ac60-ed3ef0ce36fa' cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'SOUTHEASTASIA:20240212T023327Z:d49a126c-56a3-4d40-ac60-ed3ef0ce36fa' cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE' cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: A81DAF737BD545A7BCF908075062934B Ref B: MAA201060516017 Ref C: 2024-02-12T02:33:27Z' cli.azure.cli.core.sdk.policies: 'Date': 'Mon, 12 Feb 2024 02:33:27 GMT' cli.azure.cli.core.sdk.policies: Response content: cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/providers/Microsoft.Authorization/roleDefinitions/5d79ba6d-4227-4f11-b131-af71a84052c8?api-version=2022-05-01-preview' cli.azure.cli.core.sdk.policies: Request method: 'DELETE' cli.azure.cli.core.sdk.policies: Request headers: cli.azure.cli.core.sdk.policies: 'Accept': 'application/json' cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '151e2954-c94f-11ee-a815-6c24087ab4ac' cli.azure.cli.core.sdk.policies: 'CommandName': 'role definition delete' cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --debug' cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.57.0 (MSI) azsdk-python-azure-mgmt-authorization/4.0.0 Python/3.11.7 (Windows-10-10.0.22631-SP0)' cli.azure.cli.core.sdk.policies: 'Authorization': '' cli.azure.cli.core.sdk.policies: Request body: cli.azure.cli.core.sdk.policies: This request has no body D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '127.0.0.1'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings urllib3.connectionpool: https://management.azure.com:443 "DELETE /subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/providers/Microsoft.Authorization/roleDefinitions/5d79ba6d-4227-4f11-b131-af71a84052c8?api-version=2022-05-01-preview HTTP/1.1" 403 481 cli.azure.cli.core.sdk.policies: Response status: 403 cli.azure.cli.core.sdk.policies: Response headers: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache' cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache' cli.azure.cli.core.sdk.policies: 'Content-Length': '481' cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8' cli.azure.cli.core.sdk.policies: 'Expires': '-1' cli.azure.cli.core.sdk.policies: 'x-ms-failure-cause': 'gateway' cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '46540e7f-cd3a-49ba-81a7-13b735fc0e51' cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '46540e7f-cd3a-49ba-81a7-13b735fc0e51' cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'SOUTHEASTASIA:20240212T023328Z:46540e7f-cd3a-49ba-81a7-13b735fc0e51' cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains' cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff' cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE' cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 65080C78ECD44C27AF4A8395A3136F51 Ref B: MAA201060516017 Ref C: 2024-02-12T02:33:28Z' cli.azure.cli.core.sdk.policies: 'Date': 'Mon, 12 Feb 2024 02:33:28 GMT' cli.azure.cli.core.sdk.policies: Response content: cli.azure.cli.core.sdk.policies: {"error":{"code":"AuthorizationFailed","message":"The client 'du1@yaywang.freeddns.org' with object id '649cd015-659e-486c-8a9c-32633ec93729' does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/delete' over scope '/subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/providers/Microsoft.Authorization/roleDefinitions/5d79ba6d-4227-4f11-b131-af71a84052c8' or the scope is invalid. If access was recently granted, please refresh your credentials."}} cli.azure.cli.core.azclierror: Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 664, in execute File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 729, in _run_jobs_serially File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 698, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 334, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 131, in delete_role_definition File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/authorization/v2022_05_01_preview/operations/_role_definitions_operations.py", line 242, in delete azure.core.exceptions.HttpResponseError: (AuthorizationFailed) The client 'du1@yaywang.freeddns.org' with object id '649cd015-659e-486c-8a9c-32633ec93729' does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/delete' over scope '/subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/providers/Microsoft.Authorization/roleDefinitions/5d79ba6d-4227-4f11-b131-af71a84052c8' or the scope is invalid. If access was recently granted, please refresh your credentials. Code: AuthorizationFailed Message: The client 'du1@yaywang.freeddns.org' with object id '649cd015-659e-486c-8a9c-32633ec93729' does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/delete' over scope '/subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/providers/Microsoft.Authorization/roleDefinitions/5d79ba6d-4227-4f11-b131-af71a84052c8' or the scope is invalid. If access was recently granted, please refresh your credentials.

cli.azure.cli.core.azclierror: (AuthorizationFailed) The client 'du1@yaywang.freeddns.org' with object id '649cd015-659e-486c-8a9c-32633ec93729' does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/delete' over scope '/subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/providers/Microsoft.Authorization/roleDefinitions/5d79ba6d-4227-4f11-b131-af71a84052c8' or the scope is invalid. If access was recently granted, please refresh your credentials. Code: AuthorizationFailed Message: The client 'du1@yaywang.freeddns.org' with object id '649cd015-659e-486c-8a9c-32633ec93729' does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/delete' over scope '/subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/providers/Microsoft.Authorization/roleDefinitions/5d79ba6d-4227-4f11-b131-af71a84052c8' or the scope is invalid. If access was recently granted, please refresh your credentials. az_command_data_logger: (AuthorizationFailed) The client 'du1@yaywang.freeddns.org' with object id '649cd015-659e-486c-8a9c-32633ec93729' does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/delete' over scope '/subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/providers/Microsoft.Authorization/roleDefinitions/5d79ba6d-4227-4f11-b131-af71a84052c8' or the scope is invalid. If access was recently granted, please refresh your credentials. Code: AuthorizationFailed Message: The client 'du1@yaywang.freeddns.org' with object id '649cd015-659e-486c-8a9c-32633ec93729' does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/delete' over scope '/subscriptions/e6d96b71-44f5-47a4-8acb-9cc841cfbe5d/providers/Microsoft.Authorization/roleDefinitions/5d79ba6d-4227-4f11-b131-af71a84052c8' or the scope is invalid. If access was recently granted, please refresh your credentials. cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x00000262FFF6ACA0>] az_command_data_logger: exit code: 1 cli.main: Command ran in 2.852 seconds (init: 0.513, invoke: 2.339) cli.azure.cli.core.decorators: Suppress exception: Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/main.py", line 62, in File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/main.py", line 55, in SystemExit: 1

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/decorators.py", line 79, in _wrapped_func File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/telemetry.py", line 532, in _get_secrets_warning_config File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/config.py", line 147, in getboolean ValueError: Not a boolean: None

telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 4361 in cache telemetry.main: Begin creating telemetry upload process. telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry__init__.pyc C:\Users\yaywang.FAREAST.azure" telemetry.process: Return from creating process telemetry.main: Finish creating telemetry upload process.

C:\t1>

Expected behavior

delete the custom role successfully.

Environment Summary

C:\t1>az --version azure-cli 2.57.0

core 2.57.0 telemetry 1.1.0

Extensions: serial-console 0.1.6 ssh 1.1.3

Dependencies: msal 1.26.0 azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\yaywang.FAREAST.azure\cliextensions'

Python (Windows) 3.11.7 (tags/v3.11.7:fa7a6f2, Dec 4 2023, 19:24:49) [MSC v.1937 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

yonzhan commented 6 months ago

Thank you for opening this issue, we will look into it.