API contract violation for azure-mgmt-authorization

TheOnlyWei commented 1 year ago

Package Name: azure-mgmt-authorization https://github.com/Azure/azure-sdk-for-python/tree/d31433d347fbd2e0f4d45694818b1225812e5aa4/sdk/authorization/azure-mgmt-authorization/azure/mgmt/authorization/v2015_07_01/models
Package Version: API version 2015-07-01
Operating System: Windows Server 2019 Datacenter (but OS doesn't matter)

Python Version: The version used by Azure CLI.

azure-cli                         2.48.1
Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb  7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]

Describe the bug Wrong model for role assignment. The API version 2015-07-01 of the Azure Python SDK still used for Azure Stack Hub should follow this API contract: https://github.com/Azure/azure-rest-api-specs/tree/main/specification/authorization/resource-manager/Microsoft.Authorization/stable/2015-07-01

An example of a violation is the following RoleAssignmentProperties model, which is missing the outer wrapping JSON property properties: https://github.com/Azure/azure-sdk-for-python/blob/d31433d347fbd2e0f4d45694818b1225812e5aa4/sdk/authorization/azure-mgmt-authorization/azure/mgmt/authorization/v2015_07_01/models/_models_py3.py#L562

Refer to the API contract for 2015-07-01: https://github.com/Azure/azure-rest-api-specs/blob/e7e775e2f3fe00f25fbd0e7ca0d953e22eef93ff/specification/authorization/resource-manager/Microsoft.Authorization/stable/2015-07-01/authorization-RoleAssignmentsCalls.json#L618

If you check the model, it just has role_definition_id and principal_id instead of correctly being wrapped by a properties property:

This appears to affect some of the models in this file: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/authorization/azure-mgmt-authorization/azure/mgmt/authorization/v2015_07_01/models/_models_py3.py

Please verify the models against the 2015-07-01 API contract: https://github.com/Azure/azure-rest-api-specs/tree/main/specification/authorization/resource-manager/Microsoft.Authorization/stable/2015-07-01

Debug error for one of the models causing the issue:

PS C:\Users\Administrator.RP0103-DVM> az role assignment create --assignee-object-id $objectId `
>> --role "owner" `
>> --scope "/subscriptions/${subscriptionId}/resourceGroups/rbactestrg" `
>> --debug
cli.knack.cli: Command arguments: ['role', 'assignment', 'create', '--assignee-object-id', 'c1631a0d-d1c7-404b-b0c1-77fa7612b213', '--role', 'owner', '--scope', '/subscriptions/29dfa652-0b6f-4a07-82c1-cdb6065433d4/resourceGroups/rbactestrg', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0167A460>, <function OutputProducer.on_global_arguments at 0x01748BF8>, <function CLIQuery.on_global_arguments at 0x01766850>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'role': ['azure.cli.command_modules.role']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: role                      0.008        17        60
cli.azure.cli.core: Total (1)                 0.008        17        60
cli.azure.cli.core: Loaded 17 groups, 60 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : role assignment create
cli.azure.cli.core: Command table: role assignment create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03A5A460>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\Administrator.RP0103-DVM\.azure\commands\2023-05-04.05-13-16.role_assignment_create.13156.log'.
az_command_data_logger: command args: role assignment create --assignee-object-id {} --role {} --scope {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x03A6C808>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x03A90730>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x03A90970>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x01748C40>, <function CLIQuery.handle_query_parameter at 0x01766898>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x03A90928>]
cli.azure.cli.command_modules.role.custom: RBAC service might reject creating role assignment without --assignee-principal-type in the future. Better to specify --assignee-principal-type manually.
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\Administrator.RP0103-DVM\\.azure\\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\Administrator.RP0103-DVM\.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://graph.microsoft.com/.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 58c13d68-9350-4ddc-9d07-01be2ddb7ca5
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/directoryObjects/getByIds'
cli.azure.cli.core.util: Request method: 'POST'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util:     'User-Agent': 'python/3.10.10 (Windows-10-10.0.17763-SP0) AZURECLI/2.48.1 (MSI)'
cli.azure.cli.core.util:     'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util:     'Accept': '*/*'
cli.azure.cli.core.util:     'Connection': 'keep-alive'
cli.azure.cli.core.util:     'x-ms-client-request-id': '1c3ec375-52cb-40aa-b098-b97e1080574e'
cli.azure.cli.core.util:     'Content-Type': 'application/json'
cli.azure.cli.core.util:     'CommandName': 'role assignment create'
cli.azure.cli.core.util:     'ParameterSetName': '--assignee-object-id --role --scope --debug'
cli.azure.cli.core.util:     'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util:     'Content-Length': '132'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: {"ids": ["c1631a0d-d1c7-404b-b0c1-77fa7612b213"], "types": ["user", "group", "servicePrincipal", "directoryObjectPartnerReference"]}
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "POST /v1.0/directoryObjects/getByIds HTTP/1.1" 200 None
cli.azure.cli.core.util: Response status: 200
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util:     'Cache-Control': 'no-cache'
cli.azure.cli.core.util:     'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util:     'Content-Type': 'application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8'
cli.azure.cli.core.util:     'Content-Encoding': 'gzip'
cli.azure.cli.core.util:     'Location': 'https://graph.microsoft.com'
cli.azure.cli.core.util:     'Vary': 'Accept-Encoding'
cli.azure.cli.core.util:     'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util:     'request-id': '77dd42a5-9491-4870-8757-4525f940c628'
cli.azure.cli.core.util:     'client-request-id': '77dd42a5-9491-4870-8757-4525f940c628'
cli.azure.cli.core.util:     'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"West Central US","Slice":"E","Ring":"1","ScaleUnit":"000","RoleInstance":"CY4PEPF0000AB2D"}}'
cli.azure.cli.core.util:     'x-ms-resource-unit': '3'
cli.azure.cli.core.util:     'OData-Version': '4.0'
cli.azure.cli.core.util:     'Date': 'Thu, 04 May 2023 05:13:16 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#directoryObjects","value":[{"@odata.type":"#microsoft.graph.user","id":"c1631a0d-d1c7-404b-b0c1-77fa7612b213","businessPhones":[],"displayName":"Tenant Admin1","givenName":"Tenant","jobTitle":null,"mail":null,"mobilePhone":null,"officeLocation":null,"preferredLanguage":null,"surname":"Admin","userPrincipalName":"tenantadmin1_msazurestack.onmicrosoft.com#EXT#@azurestackci15.onmicrosoft.com"}]}
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=AuthorizationManagementClient
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/1e64bce5-9f3b-4add-8be8-e550e05014d0/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.azurestackci15.onmicrosoft.com/e338c37e-ea97-4a24-87d1-676bcf5b5eb8/.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.azurestackci15.onmicrosoft.com/e338c37e-ea97-4a24-87d1-676bcf5b5eb8/.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: ee2f646e-795d-4b68-8281-9261a715d468
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.redmond.ext-rp0103.masd.stbtest.microsoft.com/subscriptions/29dfa652-0b6f-4a07-82c1-cdb6065433d4/resourceGroups/rbactestrg/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName%20eq%20%27owner%27&api-version=2015-07-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '6026c7dd-ea3a-11ed-97e8-00155d14fed4'
cli.azure.cli.core.sdk.policies:     'CommandName': 'role assignment create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--assignee-object-id --role --scope --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.48.1 (MSI) azsdk-python-azure-mgmt-authorization/3.0.0 Python/3.10.10 (Windows-10-10.0.17763-SP0)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.redmond.ext-rp0103.masd.stbtest.microsoft.com:443
urllib3.connectionpool: https://management.redmond.ext-rp0103.masd.stbtest.microsoft.com:443 "GET /subscriptions/29dfa652-0b6f-4a07-82c1-cdb6065433d4/resourceGroups/rbactestrg/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName%20eq%20%27owner%27&api-version=2015-07-01 HTTP/1.1" 200 579
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '579'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '00000000-0000-0000-0000-000000000000'
cli.azure.cli.core.sdk.policies:     'x-ms-gateway-ESMET': 'DLT=0;PAS=6;DPT=4;GPT=0;SPT=0'
cli.azure.cli.core.sdk.policies:     'x-ms-gateway-ESDIM': 'Result=S;RT=GetRoleDefinitionSubscriptionsPath;R=pasfe;RI=onebox;SC=OK;SliceKind=Test;Version=2.1.7550.2;FE=;RS=Unspecified;AuthFailReason=Unknown;LPSS=0;MPS=Master;DLOT=GRDS;UF=0;LEUT=0'
cli.azure.cli.core.sdk.policies:     'x-ms-gateway-service-instanceid': 'onebox'
cli.azure.cli.core.sdk.policies:     'xtn': '5bxkHjuf3UqL6OVQ4FAU0A=='
cli.azure.cli.core.sdk.policies:     'xtf': '0'
cli.azure.cli.core.sdk.policies:     'xsc': '1'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'Server': 'Microsoft-IIS/10.0'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-reads': '14998'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '3e5936c1-8904-4077-a06b-017e6d739767'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'REDMOND:20230504T051316Z:3e5936c1-8904-4077-a06b-017e6d739767'
cli.azure.cli.core.sdk.policies:     'Date': 'Thu, 04 May 2023 05:13:16 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"value":[{"properties":{"roleName":"Owner","type":"BuiltInRole","description":"Lets you manage everything, including access to resources.","assignableScopes":["/"],"permissions":[{"actions":["*"],"notActions":[]}],"createdOn":"0001-01-01T00:00:00.0000000Z","updatedOn":"0001-01-01T00:00:00.0000000Z","createdBy":null,"updatedBy":null},"id":"/subscriptions/29dfa652-0b6f-4a07-82c1-cdb6065433d4/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635","type":"Microsoft.Authorization/roleDefinitions","name":"8e3af657-a8ff-443c-a75c-2fe8c4bcb635"}]}
azure.mgmt.authorization._serialization: principal_type is not a known attribute of class <class 'azure.mgmt.authorization.v2015_07_01.models._models_py3.RoleAssignmentProperties'> and will be ignored
azure.mgmt.authorization._serialization: description is not a known attribute of class <class 'azure.mgmt.authorization.v2015_07_01.models._models_py3.RoleAssignmentProperties'> and will be ignored
azure.mgmt.authorization._serialization: condition is not a known attribute of class <class 'azure.mgmt.authorization.v2015_07_01.models._models_py3.RoleAssignmentProperties'> and will be ignored
azure.mgmt.authorization._serialization: condition_version is not a known attribute of class <class 'azure.mgmt.authorization.v2015_07_01.models._models_py3.RoleAssignmentProperties'> and will be ignored
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.redmond.ext-rp0103.masd.stbtest.microsoft.com/subscriptions/29dfa652-0b6f-4a07-82c1-cdb6065433d4/resourceGroups/rbactestrg/providers/Microsoft.Authorization/roleAssignments/2631c858-0b31-4b36-bd27-61ee6d353fe2?api-version=2015-07-01'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '217'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '6026c7dd-ea3a-11ed-97e8-00155d14fed4'
cli.azure.cli.core.sdk.policies:     'CommandName': 'role assignment create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--assignee-object-id --role --scope --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.48.1 (MSI) azsdk-python-azure-mgmt-authorization/3.0.0 Python/3.10.10 (Windows-10-10.0.17763-SP0)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"roleDefinitionId": "/subscriptions/29dfa652-0b6f-4a07-82c1-cdb6065433d4/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", "principalId": "c1631a0d-d1c7-404b-b0c1-77fa7612b213"}
urllib3.connectionpool: https://management.redmond.ext-rp0103.masd.stbtest.microsoft.com:443 "PUT /subscriptions/29dfa652-0b6f-4a07-82c1-cdb6065433d4/resourceGroups/rbactestrg/providers/Microsoft.Authorization/roleAssignments/2631c858-0b31-4b36-bd27-61ee6d353fe2?api-version=2015-07-01 HTTP/1.1" 400 105
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '105'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '00000000-0000-0000-0000-000000000000'
cli.azure.cli.core.sdk.policies:     'x-ms-gateway-ESMET': 'DLT=0;PAS=3;DPT=0;GPT=0;SPT=0'
cli.azure.cli.core.sdk.policies:     'x-ms-gateway-ESDIM': 'Result=UE;RT=PutRoleAssignmentSubscriptionsPath;R=pasfe;RI=onebox;SC=BadRequest;SliceKind=Test;Version=2.1.7550.2;FE=;RS=Unspecified;AuthFailReason=Unknown;MPS=Master;DLOT=NONE;UF=0;LEUT=0'
cli.azure.cli.core.sdk.policies:     'x-ms-gateway-service-instanceid': 'onebox'
cli.azure.cli.core.sdk.policies:     'xtn': '5bxkHjuf3UqL6OVQ4FAU0A=='
cli.azure.cli.core.sdk.policies:     'xtf': '0'
cli.azure.cli.core.sdk.policies:     'xsc': '15'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'Server': 'Microsoft-IIS/10.0'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-writes': '1198'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '81331d9a-281a-4c19-9bf9-59ad19bab4c0'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'REDMOND:20230504T051317Z:81331d9a-281a-4c19-9bf9-59ad19bab4c0'
cli.azure.cli.core.sdk.policies:     'Date': 'Thu, 04 May 2023 05:13:16 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"MalformedRoleAssignmentRequest","message":"PASRP RoleAssignment request is malformed"}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 663, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 697, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 333, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 186, in create_role_assignment
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 210, in _create_role_assignment
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_multi_api_adaptor.py", line 57, in create_role_assignment
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 78, in wrapper_use_tracer
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/authorization/v2015_07_01/operations/_role_assignments_operations.py", line 738, in create
azure.core.exceptions.HttpResponseError: (MalformedRoleAssignmentRequest) PASRP RoleAssignment request is malformed
Code: MalformedRoleAssignmentRequest
Message: PASRP RoleAssignment request is malformed

cli.azure.cli.core.azclierror: (MalformedRoleAssignmentRequest) PASRP RoleAssignment request is malformed
Code: MalformedRoleAssignmentRequest
Message: PASRP RoleAssignment request is malformed
az_command_data_logger: (MalformedRoleAssignmentRequest) PASRP RoleAssignment request is malformed
Code: MalformedRoleAssignmentRequest
Message: PASRP RoleAssignment request is malformed
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03A5A580>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 1.557 seconds (init: 0.406, invoke: 1.151)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3599 in cache
telemetry.check: Negative: The C:\Users\Administrator.RP0103-DVM\.azure\telemetry.txt was modified at 2023-05-04 05:12:05.087529, which in less than 600.000000 s

In the debug error above, note these messages, which I am not sure if they are related to the main issue here:

azure.mgmt.authorization._serialization: principal_type is not a known attribute of class <class 'azure.mgmt.authorization.v2015_07_01.models._models_py3.RoleAssignmentProperties'> and will be ignored
azure.mgmt.authorization._serialization: description is not a known attribute of class <class 'azure.mgmt.authorization.v2015_07_01.models._models_py3.RoleAssignmentProperties'> and will be ignored
azure.mgmt.authorization._serialization: condition is not a known attribute of class <class 'azure.mgmt.authorization.v2015_07_01.models._models_py3.RoleAssignmentProperties'> and will be ignored
azure.mgmt.authorization._serialization: condition_version is not a known attribute of class <class 'azure.mgmt.authorization.v2015_07_01.models._models_py3.RoleAssignmentProperties'> and will be ignored

To Reproduce Example step to reproduce one of the issues:

Register Azure CLI cloud against 2020-09-01-hybrid profile. PowerShell example:

$configProperties = @{
endpoints = @{
    microsoftGraphResourceId = "..."
    resourceManager = "..."
    vmImageAliasDoc = "..."
}
profile = "2020-09-01-hybrid"
suffixes = @{
    storageEndpoint = "..."
    keyvaultDns = "..."
}
}
$configProperties | ConvertTo-Json | Out-File -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "config.json")
az cloud register --name "myAzureStackHubEnv" --cloud-config `@"config.json"

Set Azure CLI cloud to the profile registered in step 1 and log in.
Run an az role assignment create command.

Expected behavior Should not throw an error. The error is caused by HTTP request by incorrect request body that does not match the API contract.

Example for RoleAssignmentProperties (other models have the same issue): Correct body:

{
  "properties": {
    "roleDefinitionId": "/subscriptions/f67d26e8-b051-4166-b8de-def9830edf35/resourceGroups/testRg1/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
    "principalId": "2eb6185c-c524-4b10-b5cb-bd3538013b8f"
  }
}

Incorrect body:

{
  "roleDefinitionId": "/subscriptions/f67d26e8-b051-4166-b8de-def9830edf35/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "principalId": "350beeae-6de2-4c18-a2e7-e5ba74e012e5"
}

Please verify all models and if they should be wrapped in properties for 2015-07-01 API version according to the API contract: https://github.com/Azure/azure-rest-api-specs/tree/main/specification/authorization/resource-manager/Microsoft.Authorization/stable/2015-07-01

Additional context This issue was discovered in Azure Stack Hub.

github-actions[bot] commented 1 year ago

Thank you for your feedback. This has been routed to the support team for assistance.

msyyc commented 1 year ago

Hi @TheOnlyWei The root cause is that CLI doesn't use the model correctly. Current CLI code shall be fixed like:

    RoleAssignmentCreateParameters = get_sdk(cli_ctx, ResourceType.MGMT_AUTHORIZATION,
                                             'RoleAssignmentCreateParameters', mod='models',
                                             operation_group='role_assignments')
    RoleAssignmentProperties = get_sdk(cli_ctx, ResourceType.MGMT_AUTHORIZATION,
                                             'RoleAssignmentProperties', mod='models',
                                             operation_group='role_assignments')
    parameters = RoleAssignmentCreateParameters(
        properties=RoleAssignmentProperties(role_definition_id=role_id, principal_id=assignee_object_id)
    )

github-actions[bot] commented 1 year ago

Hi @TheOnlyWei. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

TheOnlyWei commented 1 year ago

Hi @msyyc, are you saying that the way Azure CLI calls Python SDK is wrong in all possible use-cases? E.g., for the following function (the function you linked in your comment above is a different command): https://github.com/Azure/azure-cli/blob/57b3fe1f115e4a32a4ef0c6bbf2c31e3d0588a33/src/azure-cli/azure/cli/command_modules/role/_multi_api_adaptor.py#L43 Or is your fix only for the old APIs like 2015-07-01?

Can you clarify why Python SDK does not enforce the 2015-07-01 API contract for this problem and allow the user to pass parameters that breaks the API contract when these elements, like properties is required by the API version? Ideally if there is a correct or incorrect way to use an API version that does not require unique user input, such as adding properties=RoleAssignmentProperties(...), that should either be enforced and abstracted from the user or throw an error because the API contract requires properties=RoleAssignmentProperties(...) that the user did not provide.

Created an Azure CLI GitHub issue here: https://github.com/Azure/azure-cli/issues/26362

msyyc commented 1 year ago

I think it is not general case but just a small bug. CLI team shall be able to fix it very easily. Python SDK is generated correctly with the related swagger definition and you can try it locally if interested. As for this issue, I will close it after finding the root cause. Thanks for your feedback!

Azure / azure-sdk-for-python

API contract violation for azure-mgmt-authorization #30256