cheenamalhotra
commented
10 months ago Captured error:
System.AggregateException: One or more errors occurred. (One or more errors occurred. (One or more errors occurred. (Forbidden (403-Forbidden): {
"error": {
"code": "Forbidden",
"message": "Caller is not authorized to perform this action",
"@type": "Kusto.Common.Svc.Exceptions.UnauthorizedOperationException",
"@message": "Principal 'aaduser=<user-id>;<tenant-id>' is not authorized to perform operation 'SchemaShowCommand' on 'https://<clustername>.<region>.kusto.windows.net:443/'.",
"@context": {
"timestamp": "2023-11-03T21:51:39.4702982Z",
"serviceAlias": "<clustername>",
"machineName": "KEngine000000",
"processName": "Kusto.WinSvc.Svc",
"processId": 6040,
"threadId": 1964,
"clientRequestId": "#####",
"activityId": "#####",
"subActivityId": "#####",
"activityType": "DN.FE.ExecuteControlCommand",
"parentActivityId": "#####"
},
"@permanent": true
}
}. This normally represents a permanent error, and retrying is unlikely to help.
Steps to Reproduce:
Customer is registered under two different tenants. Say tenant A and B.
The customer has an Azure Data Explorer cluster under tenant A. The customer does not have permissions to access tenant B by the company policy.
Whenever the customer is trying to access the cluster via Azure Data Studio, he receives 401/403 Forbidden error. This, however, works on when accessing the cluster via the Azure Data Explorer Web UI.
We discovered that, even if the customer is selecting tenant A, Data Studio is forcing the customer to use the tenant B instead. From telemetry logs in Kusto, we see the customer is getting a forbidden error for the tenant B id instead of the tenant A, even when selecting the tenant A in Data Studio connection.
Does this issue occur when all extensions are disabled?: Yes/No