daveoshinsky
commented
2 weeks ago Note that 3.42.0 Container.ReadThroughputAsync also fails with disableLocalAuth:
3304 1554 08/26 17:00:52 2047664 allocating CosmosClient using MSI method
3304 1554 08/26 17:00:53 2047664 Container throughput failure with message 'Microsoft.Azure.Cosmos.CosmosException : Response status code does not indicate success: Forbidden (403); Substatus: 5300; ActivityId: 768e5b85-009c-4e1f-b35d-3fc728045d62; Reason: (Request blocked by Auth cosmosuscentral : The given request [POST /offers] cannot be authorized by AAD token in data plane. Learn more: https://aka.ms/cosmos-native-rbac.
ActivityId: 768e5b85-009c-4e1f-b35d-3fc728045d62, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Cosmos.Tracing.TraceData.ClientSideRequestStatisticsTraceDatum, Windows/10.0.17763 cosmos-netstandard-sdk/3.34.4);
at Microsoft.Azure.Cosmos.GatewayStoreClient.
kirankumarkolli
Describe the bug There is no REST API or SDK API that works properly with disable local auth to list databases under a Cosmos account. The same situation likely exists with the very similar REST API to list containers in a database.
To Reproduce Attempt REST API https://learn.microsoft.com/en-us/rest/api/cosmos-db/list-databases with disable local auth. The REST API normally works with an "authorization" header based on primary master key. When local authorization is disabled, the list databases REST API will always fail with 401 (Unauthorized). Attempts were made to obtain a token and use a "bearer" header with the list databases REST API. That also fails with 401 (Unauthorized).
Expected behavior There should be a way to list databases (and to list containers in a database) when disable local auth is enabled. There should be SDK API's (CosmosClient methods) to do the same, but no such API's exist.
Actual behavior All attempts to list databases (via REST API) fail with 401 (Unauthorized) with disable local auth. Since listing databases fails, this has not been tested with the very similar REST API to list containers in a database, but the same result would very likely be seen there as well.
Environment summary SDK Version: 3.42.0 OS Version: Windows 11
Additional context This might be due to the same root cause as unresolved issue: https://github.com/Azure/cosmos-explorer/issues/1470 Web pages describing authorization with Cosmos DB REST API's https://learn.microsoft.com/en-us/rest/api/cosmos-db/common-cosmosdb-rest-request-headers and https://learn.microsoft.com/en-us/rest/api/cosmos-db/access-control-on-cosmosdb-resources?redirectedfrom=MSDN do not mention using a bearer token header with these REST API's. Without such an ability, the REST API's will always fail with 401 (Unauthorized) with disable local auth. By contrast, the REST API to list database accounts https://learn.microsoft.com/en-us/rest/api/cosmos-db-resource-provider/database-accounts/list?view=rest-cosmos-db-resource-provider-2024-05-15&tabs=HTTP should work just fine with a bearer token and disable local auth. Why are the REST API's to list databases and containers not similarly able to function with a bearer token and disable local auth? It would also be a great feature for SDK CosmosClient to have the ability to list databases and containers, rather than having to write separate REST API code.