Open daveoshinsky opened 2 weeks ago
Note that 3.42.0 Container.ReadThroughputAsync also fails with disableLocalAuth:
3304 1554 08/26 17:00:52 2047664 allocating CosmosClient using MSI method
3304 1554 08/26 17:00:53 2047664 Container throughput failure with message 'Microsoft.Azure.Cosmos.CosmosException : Response status code does not indicate success: Forbidden (403); Substatus: 5300; ActivityId: 768e5b85-009c-4e1f-b35d-3fc728045d62; Reason: (Request blocked by Auth cosmosuscentral : The given request [POST /offers] cannot be authorized by AAD token in data plane. Learn more: https://aka.ms/cosmos-native-rbac.
ActivityId: 768e5b85-009c-4e1f-b35d-3fc728045d62, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Cosmos.Tracing.TraceData.ClientSideRequestStatisticsTraceDatum, Windows/10.0.17763 cosmos-netstandard-sdk/3.34.4);
at Microsoft.Azure.Cosmos.GatewayStoreClient.
This issue should not have been closed. It remains an open problem. Both REST API to list databases and Container.ReadThroughputAsync (mentioned in the above comment) do not work at all with "disable local auth".
To clarify one thing - with the exact same user, MSI, RBAC, etc. but without "disable local auth", the above operations work properly. It is "disable local auth" specifically, that when added, causes all functionality mentioned above to stop working. It's likely that other functionality is also non-functional with "disable local auth", like "list containers in database" REST API as well as additional SDK method calls.
@daveoshinsky its a service issue. This GitHub is for client issues only. Can you please create a support ticket to follow-up?
Describe the bug There is no REST API or SDK API that works properly with disable local auth to list databases under a Cosmos account. The same situation likely exists with the very similar REST API to list containers in a database.
To Reproduce Attempt REST API https://learn.microsoft.com/en-us/rest/api/cosmos-db/list-databases with disable local auth. The REST API normally works with an "authorization" header based on primary master key. When local authorization is disabled, the list databases REST API will always fail with 401 (Unauthorized). Attempts were made to obtain a token and use a "bearer" header with the list databases REST API. That also fails with 401 (Unauthorized).
Expected behavior There should be a way to list databases (and to list containers in a database) when disable local auth is enabled. There should be SDK API's (CosmosClient methods) to do the same, but no such API's exist.
Actual behavior All attempts to list databases (via REST API) fail with 401 (Unauthorized) with disable local auth. Since listing databases fails, this has not been tested with the very similar REST API to list containers in a database, but the same result would very likely be seen there as well.
Environment summary SDK Version: 3.42.0 OS Version: Windows 11
Additional context This might be due to the same root cause as unresolved issue: https://github.com/Azure/cosmos-explorer/issues/1470 Web pages describing authorization with Cosmos DB REST API's https://learn.microsoft.com/en-us/rest/api/cosmos-db/common-cosmosdb-rest-request-headers and https://learn.microsoft.com/en-us/rest/api/cosmos-db/access-control-on-cosmosdb-resources?redirectedfrom=MSDN do not mention using a bearer token header with these REST API's. Without such an ability, the REST API's will always fail with 401 (Unauthorized) with disable local auth. By contrast, the REST API to list database accounts https://learn.microsoft.com/en-us/rest/api/cosmos-db-resource-provider/database-accounts/list?view=rest-cosmos-db-resource-provider-2024-05-15&tabs=HTTP should work just fine with a bearer token and disable local auth. Why are the REST API's to list databases and containers not similarly able to function with a bearer token and disable local auth? It would also be a great feature for SDK CosmosClient to have the ability to list databases and containers, rather than having to write separate REST API code.