az devops security permission update

lokesh-exelaonline commented 3 weeks ago

Describe the bug

getting below error while doing az DevOps repo permissions update command as checked with microsoft devops support team its backend error from git side TF400898: An Internal Error Occurred. Activity Id: cd9bad3f-4800-4708-b850-14fa7cd88b7e.

Related command

az devops security permission update --allow-bit 1 --namespace-id 2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87 --subject "vssgp.Uy0xLTktMTU1MTM3NDI0NS0zMTE3MzM1NjQzLTQ3NzM2NDgwOC0yMTQ3NjkzODM2LTQwNDUxNTQ3NTAtMS0zNjU2NDEyOTQyLTM4NDQ1MDAwNDMtMjU2NzMyMTU5Mi02MDA5OTE2MDg" --token "`ICS:vstfs:///Classification/TeamProject/Git/6c48df35-6d16-4223-a936-9671e469004d" --organization (orgname)

Errors

TF400898: An Internal Error Occurred. Activity Id: cd9bad3f-4800-4708-b850-14fa7cd88b7e.

Issue script & Debug output

NA

Expected behavior

NA

Environment Summary

azure-cli 2.55.0 *

core 2.55.0 * telemetry 1.1.0

Extensions: azure-devops 1.0.1

Dependencies: msal 1.24.0b2 azure-mgmt-resource 23.1.0b2

Additional context

No response

azure-client-tools-bot-prd[bot] commented 3 weeks ago

Hi @lokesh-exelaonline,

2.55.0 is not the latest Azure CLI(2.64.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

yonzhan commented 3 weeks ago

Thank you for opening this issue, we will look into it.

lokesh-exelaonline commented 2 weeks ago

tried updating the Az CLI version, still the error is same.

PS C:\Users\az_lbhutada> az devops security permission update --allow-bit 1 --namespace-id 2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87 --subject "vssgp.Uy0xLTktMTU1MTM3NDI0NS0zMTE3MzM1NjQzLTQ3NzM2NDgwOC0yMTQ3NjkzODM2LTQwNDUxNTQ3NTAtMS0zNjU2NDEyOTQyLTM4NDQ1MDAwNDMtMjU2NzMyMTU5Mi02MDA5OTE2MDg" --token "`ICS:vstfs:///Classification/TeamProject/Git/6c48df35-6d16-4223-a936-9671e469004d" --organization {orgname} az : ERROR: TF400898: An Internal Error Occurred. Activity Id: c727ba6f-f1e3-4182-bb20-3e20ccf46d5e. At line:1 char:1

az devops security permission update --allow-bit 1 --namespace-id 2e9 ...


+ CategoryInfo          : NotSpecified: (ERROR: TF400898...0-3e20ccf46d5e.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError

PS C:\Users\az_lbhutada> az version { "azure-cli": "2.64.0", "azure-cli-core": "2.64.0", "azure-cli-telemetry": "1.1.0", "extensions": { "azure-devops": "1.0.1" } } PS C:\Users\az_lbhutada>

lokesh-exelaonline commented 2 weeks ago

@v-vjanapati , @V-hmusukula can you please help with this issue.

v-anvashist commented 2 weeks ago

Hi @lokesh-exelaonline

Please note that the security token is wrapped within single quotes. '$PROJECT:vstfs:///Classification/TeamProject/73d2ba69-da36-4d82-abb1-778c867bc350'

Also please re-install the latest az/dev-ops version and computer/PowerShell restart

If you are still facing the issue. Could you please the share output of the 'az devops security permission list' command ?

v-anvashist commented 2 weeks ago

@lokesh-exelaonline executed the command in our windows PowerShell and it is working for us

lokesh-exelaonline commented 2 weeks ago

Hi Team, I made the required changes as suggested, still the output I same. PS C:\Users\lokesh.bhutada> az devops security permission update --allow-bit 1 --id 2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87 --subject vssgp.Uy0xLTktMTU1MTM3NDI0NS0zMTE3MzM1NjQzLTQ3NzM2NDgwOC0yMTQ3NjkzODM2LTQwNDUxNTQ3NTAtMS0zNjU2NDEyOTQyLTM4NDQ1MDAwNDMtMjU2NzMyMTU5Mi02MDA5OTE2MDg --token '$PROJECT:vstfs:///Classification/TeamProject/c2829811-ce0f-4749-bba4-1a5057299918' --org https://dev.azure.com/XXXX TF400898: An Internal Error Occurred. Activity Id: da63b8ba-c415-4f50-8342-6ec4b5cc3868.

also attached output file for the requested command as below. PS C:\Users\lokesh.bhutada\Desktop> az devops security permission list --id 2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87 --subject vssgp.Uy0xLTktMTU1MTM3NDI0NS0zMTE3MzM1NjQzLTQ3NzM2NDgwOC0yMTQ3NjkzODM2LTQwNDUxNTQ3NTAtMS0zNjU2NDEyOTQyLTM4NDQ1MDAwNDMtMjU2NzMyMTU5Mi02MDA5OTE2MDg --org https://dev.azure.com/XXX | Out-file -FilePath C:\Users\lokesh.bhutada\Desktop\output.txt
output.txt

v-anvashist commented 2 weeks ago

Hi @lokesh-exelaonline Is this issue for windows or linux PowerShell?

Also, run the "az devops security permission update" with --debug switch and share the logs.

lokesh-exelaonline commented 2 weeks ago

using Windows Powershell from the beginning, attached the logs for the command as requested and I am also able to list the permission of that specific token with repo ID which means the issue is with only the update command in backend, attached output of both the command PFA output1.txt

v-anvashist commented 2 weeks ago

Hi @lokesh-exelaonline I have checked the logs and exception is unauthorized access.

Can you please confirm your VSID is a4dd5b57-decf-4807-b061-94b9d9b802f9

You are facing this issue recently or in past also you were not able to run this command?

v-anvashist commented 2 weeks ago

I hope you are part of project collection administrator security group

lokesh-exelaonline commented 2 weeks ago

Yes I verified all the permissions my User has and tried with a new token and with another admin user also but still the issue is same. I am able to list details using below command az devops security permission list --id 2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87 --subject vssgp.Sample_Subject --org https://dev.azure.com/OrgName --token 'sample_token'

but the update is not working I also tried with deny-bit 0 az devops security permission update --allow-bit 1 --id 2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87 --subject vssgp.Sample_Subject --token 'Sample_Token' --org https://dev.azure.com/OrgName

v-anvashist commented 1 week ago

Hello @lokesh-exelaonline Can you please share your VSID? Here you can get it from this url https://app.vssps.visualstudio.com/_apis/identities/me?api-version=4.0

Query-

Are u recently facing this issue in update command because as per the logs you don't have access to do update and update command requires build permissions also with project permissions?

lokesh-exelaonline commented 1 week ago

Hi Team, This is my first time trying to update permissions through Az DevOps CLI. As informed earlier, I am part of the most privileged access group project collection admin. Please tell me if any further access needs to be assigned or if any settings need to be enabled to do a permission update with CLI.

https://app.vssps.visualstudio.com/_apis/identities/me?api-version=4.0 Output: {"id":"433eb457-3d2e-6e9b-bcdb-4135f7090de8","displayName":"Lokesh Bhutada","accountName":"Lokesh.Bhutada@exelaonline.com","origin":"aad","originId":"8f765dd0-8430-4a99-bef2-e068d72c6bd6","domain":"f7144bf2-a2d3-429d-91f2-40c6fff33383","tenants":[{"tenantId":"f7144bf2-a2d3-429d-91f2-40c6fff33383","tenantName":"Exela Technologies","homeTenant":true,"verifiedDomains":null},{"tenantId":"0f305300-1e25-463f-8b04-cd4e0e7524af","tenantName":"BancTec Inc","homeTenant":false,"verifiedDomains":null},{"tenantId":"5835af38-78c2-409c-88af-9e46ebcabb8d","tenantName":"Exelatech","homeTenant":false,"verifiedDomains":null}]}

lokesh-exelaonline commented 5 days ago

Hi Team, Is there any update on this?

v-anvashist commented 5 days ago

Hello @lokesh-exelaonline I was OOO last week and back today. Will share the update by today eod.

v-anvashist commented 2 days ago

Hi @lokesh-exelaonline We have raised ICM on platform team for help https://portal.microsofticm.com/imp/v5/incidents/details/547558035/summary

Azure / azure-cli