search

Azure / azure-rest-api-specs

The source for REST API specifications for Microsoft Azure.
MIT License
2.61k stars 5.01k forks source link

[Role Definitions] API Updates is eventually consistent #2135

Open tombuildsstuff opened 6 years ago

tombuildsstuff commented 6 years ago

:wave:

Terraform recently added support for managing Role Definitions (which uses the Azure API's via the Azure SDK for Go).

Generally speaking this works well - however we've discovered that the Read/GET API is eventually consistent for Updates - as shown in the following API Responses which were taken ~10 seconds apart:

Request 1:

{
    "properties": {
        "roleName": "tom-custom-tf",
        "type": "CustomRole",
        "description": "This is a custom role created via Terraform",
        "assignableScopes": ["/subscriptions/00000000-0000-0000-0000-000000000000"],
        "permissions": [{
            "actions": ["*"],
            "notActions": ["Microsoft.Authorization/*/read"]
        }],
        "createdOn": "2017-12-12T15:43:36.7863750Z",
        "updatedOn": "2017-12-12T15:45:48.1361754Z",
        "createdBy": "00000000-0000-0000-0000-000000000000",
        "updatedBy": "00000000-0000-0000-0000-000000000000"
    },
    "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000",
    "type": "Microsoft.Authorization/roleDefinitions",
    "name": "00000000-0000-0000-0000-000000000000"
}

Request 2:

{
    "properties": {
        "roleName": "tom-custom-tf",
        "type": "CustomRole",
        "description": "This is a custom role created via Terraform",
        "assignableScopes": ["/subscriptions/00000000-0000-0000-0000-000000000000"],
        "permissions": [{
            "actions": ["*"],
            "notActions": []
        }],
        "createdOn": "2017-12-12T15:43:36.7863750Z",
        "updatedOn": "2017-12-12T15:43:36.7863750Z",
        "createdBy": "00000000-0000-0000-0000-000000000000",
        "updatedBy": "00000000-0000-0000-0000-000000000000"
    },
    "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000",
    "type": "Microsoft.Authorization/roleDefinitions",
    "name": "00000000-0000-0000-0000-000000000000"
}

Request 3:

{
    "properties": {
        "roleName": "tom-custom-tf",
        "type": "CustomRole",
        "description": "This is a custom role created via Terraform",
        "assignableScopes": ["/subscriptions/00000000-0000-0000-0000-000000000000"],
        "permissions": [{
            "actions": ["*"],
            "notActions": ["Microsoft.Authorization/*/read"]
        }],
        "createdOn": "2017-12-12T15:43:36.7863750Z",
        "updatedOn": "2017-12-12T15:45:48.1361754Z",
        "createdBy": "00000000-0000-0000-0000-000000000000",
        "updatedBy": "00000000-0000-0000-0000-000000000000"
    },
    "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000",
    "type": "Microsoft.Authorization/roleDefinitions",
    "name": "00000000-0000-0000-0000-000000000000"
}

Request 4:

{
    "properties": {
        "roleName": "tom-custom-tf",
        "type": "CustomRole",
        "description": "This is a custom role created via Terraform",
        "assignableScopes": ["/subscriptions/00000000-0000-0000-0000-000000000000"],
        "permissions": [{
            "actions": ["*"],
            "notActions": []
        }],
        "createdOn": "2017-12-12T15:43:36.7863750Z",
        "updatedOn": "2017-12-12T15:43:36.7863750Z",
        "createdBy": "00000000-0000-0000-0000-000000000000",
        "updatedBy": "00000000-0000-0000-0000-000000000000"
    },
    "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000",
    "type": "Microsoft.Authorization/roleDefinitions",
    "name": "00000000-0000-0000-0000-000000000000"
}

Whilst we can look into checking the UpdatedOn field as a workaround in the short-term - would it be possible to look into fixing the API so that it's consistent across API responses? I feel this API in particular needs to be consistent seeing as it's Identity/Security related?

Thanks!

jhendrixMSFT commented 6 years ago

@joshgav do you know who to contact on the service team about this?

joshgav commented 6 years ago

@darshanhs90 can you please take a look?

tombuildsstuff commented 6 years ago

@darshanhs90 is there any update available here? :)

darshanhs90 commented 6 years ago

@tombuildsstuff this is because the custom roles are cached ,and hence the data replication takes some time for it to be available everywhere. So there is no workaround at the current moment

tombuildsstuff commented 6 years ago

@darshanhs90 ok, thanks.. is there a rough duration for the cache to replicate? This way we can ensure we wait for at least this amount of time (and until the response is consistent once this has been done). Thanks!

ghost commented 3 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @armleads-azure.

Issue Details
:wave: Terraform recently added support for [managing Role Definitions](https://www.terraform.io/docs/providers/azurerm/r/role_definition.html) (which uses the Azure API's via the Azure SDK for Go). Generally speaking this works well - however we've discovered that [the Read/GET API](https://docs.microsoft.com/en-us/rest/api/authorization/RoleDefinitions/Get) is eventually consistent for Updates - as shown in the following API Responses which were taken ~10 seconds apart: Request 1: ``` { "properties": { "roleName": "tom-custom-tf", "type": "CustomRole", "description": "This is a custom role created via Terraform", "assignableScopes": ["/subscriptions/00000000-0000-0000-0000-000000000000"], "permissions": [{ "actions": ["*"], "notActions": ["Microsoft.Authorization/*/read"] }], "createdOn": "2017-12-12T15:43:36.7863750Z", "updatedOn": "2017-12-12T15:45:48.1361754Z", "createdBy": "00000000-0000-0000-0000-000000000000", "updatedBy": "00000000-0000-0000-0000-000000000000" }, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000", "type": "Microsoft.Authorization/roleDefinitions", "name": "00000000-0000-0000-0000-000000000000" } ``` Request 2: ``` { "properties": { "roleName": "tom-custom-tf", "type": "CustomRole", "description": "This is a custom role created via Terraform", "assignableScopes": ["/subscriptions/00000000-0000-0000-0000-000000000000"], "permissions": [{ "actions": ["*"], "notActions": [] }], "createdOn": "2017-12-12T15:43:36.7863750Z", "updatedOn": "2017-12-12T15:43:36.7863750Z", "createdBy": "00000000-0000-0000-0000-000000000000", "updatedBy": "00000000-0000-0000-0000-000000000000" }, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000", "type": "Microsoft.Authorization/roleDefinitions", "name": "00000000-0000-0000-0000-000000000000" } ``` Request 3: ``` { "properties": { "roleName": "tom-custom-tf", "type": "CustomRole", "description": "This is a custom role created via Terraform", "assignableScopes": ["/subscriptions/00000000-0000-0000-0000-000000000000"], "permissions": [{ "actions": ["*"], "notActions": ["Microsoft.Authorization/*/read"] }], "createdOn": "2017-12-12T15:43:36.7863750Z", "updatedOn": "2017-12-12T15:45:48.1361754Z", "createdBy": "00000000-0000-0000-0000-000000000000", "updatedBy": "00000000-0000-0000-0000-000000000000" }, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000", "type": "Microsoft.Authorization/roleDefinitions", "name": "00000000-0000-0000-0000-000000000000" } ``` Request 4: ``` { "properties": { "roleName": "tom-custom-tf", "type": "CustomRole", "description": "This is a custom role created via Terraform", "assignableScopes": ["/subscriptions/00000000-0000-0000-0000-000000000000"], "permissions": [{ "actions": ["*"], "notActions": [] }], "createdOn": "2017-12-12T15:43:36.7863750Z", "updatedOn": "2017-12-12T15:43:36.7863750Z", "createdBy": "00000000-0000-0000-0000-000000000000", "updatedBy": "00000000-0000-0000-0000-000000000000" }, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000", "type": "Microsoft.Authorization/roleDefinitions", "name": "00000000-0000-0000-0000-000000000000" } ``` Whilst we can look into checking the `UpdatedOn` field as a workaround in the short-term - would it be possible to look into fixing the API so that it's consistent across API responses? I feel this API in particular needs to be consistent seeing as it's Identity/Security related? Thanks!
Author: tombuildsstuff
Assignees: darshanhs90
Labels: `ARM - RBAC`, `Service Attention`
Milestone: -