search

Azure / azure-rest-api-specs

The source for REST API specifications for Microsoft Azure.
MIT License
2.69k stars 5.12k forks source link

When missing lead"/" in scope filter parameter, returns unexpected policy object #24184

Open jwelker9 opened 1 year ago

jwelker9 commented 1 year ago

Issue is regarding the Role Management Policies - List for Scope API. When following the sample, and filtering on a roleDefinitionID, you are expected to provide a 'scope' to complete the full role definition ID, like below:

$filter=roleDefinitionId%20eq%20'/subscriptions/29c076b3-d962-4cd7-97cd-a518d5e0c05c/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'

The above works as expected. However, when the lead "/" is omitted on the scope portion, it still returns a role management policy object; however, it's not one that matches the roleDefinitionId. Because there is no role name identifier (neither name or id) in the role policy object responses generally, I can't determine which policy is being returned.

Example of omitted "/" (right after the "eq" statement and before "subscriptions"): $filter=roleDefinitionId%20eq%20'subscriptions/29c076b3-d962-4cd7-97cd-a518d5e0c05c/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'

Regardless, I would expect that with a missing "/" in the scope portion of the roleDefinitionId, it would either return nothing, or an error stating the scope is invalid, rather than a seemingly random policy object not related to the roleDefinitionId you are filtering for.

lirenhe commented 1 year ago

This is related to the RestAPI spec, transfer it to the spec repo.

jwelker9 commented 1 year ago

Thank you @lirenhe

ghost commented 1 year ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @darshanhs90, @AshishGargMicrosoft.

Issue Details
Issue is regarding the [Role Management Policies - List for Scope](https://learn.microsoft.com/en-us/rest/api/authorization/role-management-policies/list-for-scope?tabs=HTTP) API. When following the [sample](https://learn.microsoft.com/en-us/rest/api/authorization/privileged-role-policy-rest-sample), and filtering on a roleDefinitionID, you are expected to provide a 'scope' to complete the full role definition ID, like below: `$filter=roleDefinitionId%20eq%20'/subscriptions/29c076b3-d962-4cd7-97cd-a518d5e0c05c/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'` The above works as expected. However, when the lead "**/**" is omitted on the scope portion, it still returns a role management policy object; however, it's not one that matches the roleDefinitionId. Because there is no role name identifier (neither name or id) in the role policy object responses generally, I can't determine which policy is being returned. Example of omitted "/" (right after the "eq" statement and before "subscriptions"): `$filter=roleDefinitionId%20eq%20'subscriptions/29c076b3-d962-4cd7-97cd-a518d5e0c05c/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'` Regardless, I would expect that with a missing "/" in the scope portion of the roleDefinitionId, it would either return nothing, or an error stating the scope is invalid, rather than a seemingly random policy object not related to the roleDefinitionId you are filtering for.
Author: jwelker9
Assignees: -
Labels: `question`, `Authorization`, `Service Attention`, `customer-reported`, `needs-team-attention`
Milestone: -
navba-MSFT commented 1 year ago

Adding Service team to look into this.