Updated support for synapse role assignment and Added support for role scope (#14172)

* fixing compliationerror

* getroleassignment

* refine parametersetname

* add scope to newroleassignment

* add list scope command

* refine new-azuresynapseroleassignment

* add Itemtype and Item

* refine newAzureSynapseRoleAssignment

* remove unnecessary feeds

* refine deleteroleassignmentid

* refine resourceid name

* improve remove and getroleassignments

* itemtype and item improvement

* Fix a few issues

* Correct exception types

* add principle type

* add principaltype

* caseinsent

* update changelog

* add doc for get-azsyanpserolescope

* remove powershlles

* update help doc

* add objectid back

* update Az.Synapse.md

* update auto generated mdfiles

* update changelog

* update changelog2

* update changelog3

* update changelog4

* update changelog5

* update changelog6

* update changelog7

* Update src/Synapse/Synapse/ChangeLog.md

Co-authored-by: Beisi Zhou <[email protected]>

Co-authored-by: Dongwei Wang <[email protected]>
Co-authored-by: Beisi Zhou <[email protected]>

Author: 3 people

src/Synapse/Synapse/Az.Synapse.psd1

@@ -123,7 +123,7 @@ CmdletsToExport = 'Get-AzSynapseSparkJob', 'Stop-AzSynapseSparkJob',
                'Remove-AzSynapseFirewallRule', 'Get-AzSynapseFirewallRule', 
                'Update-AzSynapseFirewallRule', 'Get-AzSynapseRoleAssignment', 
                'New-AzSynapseRoleAssignment', 'Remove-AzSynapseRoleAssignment', 
-               'Get-AzSynapseRoleDefinition', 'Get-AzSynapseSqlDatabase', 
+               'Get-AzSynapseRoleDefinition', 'Get-AzSynapseRoleScope', 'Get-AzSynapseSqlDatabase', 
                'New-AzSynapseSqlDatabase', 'Remove-AzSynapseSqlDatabase', 
                'Update-AzSynapseSqlDatabase', 'Test-AzSynapseSqlDatabase', 
                'Disable-AzSynapseSqlPoolSensitivityRecommendation', 

src/Synapse/Synapse/ChangeLog.md

@@ -18,6 +18,12 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Add support for Synapse Role-based access control
+   - Upgraded Azure.Analytics.Synapse.AccessControl to 1.0.0-preview.3
+   - Updated `New-AzSynapseRoleAssignment` cmdlet
+   - Updated `Get-AzSynapseRoleAssignment` cmdlet
+   - Updated `Remove-AzSynapseRoleAssignment` cmdlet
+   - Added `Get-AzSynapseRoleScope` cmdlet
 * Renamed -AllowAllAzureIP to -AllowAllAzureIp and changed IP range to 0.0.0.0-0.0.0.0 
 * Added -AllowAllIp and set IP range to 0.0.0.0-255.255.255.255
 * Fixed the issue of retrieving Apache Spark pool information through management API

src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/GetAzureSynapseRoleAssignment.cs

@@ -1,13 +1,11 @@
-using Azure.Analytics.Synapse.AccessControl;
-using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
 using Microsoft.Azure.Commands.Synapse.Common;
 using Microsoft.Azure.Commands.Synapse.Models;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
-using System;
-using System.Collections.Generic;
 using System.Linq;
 using System.Management.Automation;
-using System.Text;
+using System.Text.RegularExpressions;
+using static Microsoft.Azure.Commands.Synapse.Models.SynapseConstants;
 
 namespace Microsoft.Azure.Commands.Synapse
 {
@@ -110,6 +108,44 @@ public class GetAzureSynapseRoleAssignment : SynapseRoleCmdletBase
         [ValidateNotNullOrEmpty]
         public string ObjectId { get; set; }
 
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndIdParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndRoleDefinitionIdAndObjectIdParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndServicePrincipalNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndIdParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndRoleDefinitionIdAndObjectIdParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndServicePrincipalNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [ValidateNotNullOrEmpty]
+        public WorkspaceItemType ItemType { get; set; }
+
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndIdParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndRoleDefinitionIdAndObjectIdParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameAndServicePrincipalNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndIdParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndRoleDefinitionIdAndObjectIdParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectAndServicePrincipalNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [ValidateNotNullOrEmpty]
+        public string Item { get; set; }
+
         public override void ExecuteCmdlet()
         {
             if (this.IsParameterBound(c => c.WorkspaceObject))
@@ -132,22 +168,39 @@ public override void ExecuteCmdlet()
                 this.ObjectId = SynapseAnalyticsClient.GetObjectIdFromServicePrincipalName(this.ServicePrincipalName);
             }
 
+            string itemType = null;
+            if (this.IsParameterBound(c => c.ItemType))
+            {
+                itemType = this.ItemType.GetItemTypeString();
+            }
+
             if (this.IsParameterBound(c => c.RoleAssignmentId))
             {
                 WriteObject(new PSRoleAssignmentDetails(SynapseAnalyticsClient.GetRoleAssignmentById(this.RoleAssignmentId)));
             }
             else
             {
-                var roleAssignment = SynapseAnalyticsClient.ListRoleAssignments(this.RoleDefinitionId, this.ObjectId)
-                .Select(element => new PSRoleAssignmentDetails(element));
+                var roleAssignments = SynapseAnalyticsClient.ListRoleAssignments(this.RoleDefinitionId, this.ObjectId).Select(element => new PSRoleAssignmentDetails(element));
+                string allowedScopePattern = null;
+                if (this.IsParameterBound(c => c.ItemType) && this.IsParameterBound(c => c.Item))
+                {
+                    allowedScopePattern = $"(^workspaces/{this.WorkspaceName}$)|(^workspaces/{this.WorkspaceName}/{itemType}/{this.Item}$)";
+                }
+                else if (this.IsParameterBound(c => c.ItemType) && !this.IsParameterBound(c => c.Item))
+                {
+                    allowedScopePattern = $"(^workspaces/{this.WorkspaceName}$)|(^workspaces/{this.WorkspaceName}/{itemType}/[^/]+$)";
+                }
+                else if (!this.IsParameterBound(c => c.ItemType) && this.IsParameterBound(c => c.Item))
+                {
+                    allowedScopePattern = $"(^workspaces/{this.WorkspaceName}$)|(^workspaces/{this.WorkspaceName}/[^/]+/{this.Item}$)";
+                }
 
-                // TODO: Currently, when only `ObjectId` is specified, the cmdlet returns incorrect result. Filter from client side as a workaround
-                if (!string.IsNullOrEmpty(this.ObjectId))
+                if (!string.IsNullOrEmpty(allowedScopePattern))
                 {
-                    roleAssignment = roleAssignment.Where(element => element.ObjectId == this.ObjectId);
+                    roleAssignments = roleAssignments.Where(ra => ra.Scope == null || Regex.IsMatch(ra.Scope, allowedScopePattern, RegexOptions.IgnoreCase));
                 }
 
-                WriteObject(roleAssignment, true);
+                WriteObject(roleAssignments, true);
             }
         }
     }

src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/GetAzureSynapseRoleScope.cs

@@ -0,0 +1,57 @@
+using Microsoft.Azure.Commands.Common.Exceptions;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Commands.Synapse.Common;
+using Microsoft.Azure.Commands.Synapse.Models;
+using Microsoft.Azure.Commands.Synapse.Properties;
+using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using System;
+using System.Linq;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.Synapse
+{
+    [Cmdlet(VerbsCommon.Get, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + SynapseConstants.SynapsePrefix + SynapseConstants.RoleScope,
+        DefaultParameterSetName = GetByWorkspaceNameParameterSet)]
+    [OutputType(typeof(PSSynapseRole))]
+    public class GetAzureSynapseRoleScope : SynapseRoleCmdletBase
+    {
+        private const string GetByWorkspaceNameParameterSet = "GetByWorkspaceNameParameterSet";
+        private const string GetByWorkspaceObjectParameterSet = "GetByWorkspaceObjectParameterSet";
+
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameParameterSet,
+            Mandatory = true, HelpMessage = HelpMessages.WorkspaceName)]
+        [ResourceNameCompleter(ResourceTypes.Workspace, "ResourceGroupName")]
+        [ValidateNotNullOrEmpty]
+        public override string WorkspaceName { get; set; }
+
+        [Parameter(ValueFromPipeline = true, ParameterSetName = GetByWorkspaceObjectParameterSet,
+            Mandatory = true, HelpMessage = HelpMessages.WorkspaceObject)]
+        [ValidateNotNull]
+        public PSSynapseWorkspace WorkspaceObject { get; set; }
+
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceNameParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceResourceId)]
+        [Parameter(ValueFromPipelineByPropertyName = false, ParameterSetName = GetByWorkspaceObjectParameterSet,
+            Mandatory = false, HelpMessage = HelpMessages.WorkspaceResourceId)]
+        [ValidateNotNullOrEmpty]
+        public string ResourceId { get; set; }
+
+        public override void ExecuteCmdlet()
+        {
+            if (this.IsParameterBound(c => c.ResourceId))
+            {
+                var resourceIdentifier = new ResourceIdentifier(this.ResourceId);
+                this.WorkspaceName = resourceIdentifier.ResourceName;
+            }
+
+            if (this.IsParameterBound(c => c.WorkspaceObject))
+            {
+                this.WorkspaceName = this.WorkspaceObject.Name;
+            }
+
+            var roleScopes = SynapseAnalyticsClient.ListRoleScopes();
+            WriteObject(roleScopes, true);
+        }
+    }
+}

src/Synapse/Synapse/Commands/DataPlaneCommands/AccessControl/NewAzureSynapseRoleAssignment.cs

@@ -1,13 +1,12 @@
-using Azure.Analytics.Synapse.AccessControl.Models;
+using Microsoft.Azure.Commands.Common.Exceptions;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
 using Microsoft.Azure.Commands.Synapse.Common;
 using Microsoft.Azure.Commands.Synapse.Models;
 using Microsoft.Azure.Commands.Synapse.Properties;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
 using System;
-using System.Collections.Generic;
 using System.Management.Automation;
-using System.Text;
+using static Microsoft.Azure.Commands.Synapse.Models.SynapseConstants;
 
 namespace Microsoft.Azure.Commands.Synapse
 {
@@ -97,6 +96,20 @@ public class NewAzureSynapseRoleAssignment : SynapseRoleCmdletBase
         [ValidateNotNullOrEmpty]
         public string ObjectId { get; set; }
 
+        // Compared with Remove-AzSynapseRoleAssignment and Get-AzSynapseRoleAssignment, no need to specify roleAssignment, it is created as
+        // random uuid. Hence unnecessary to specify the ParameterSetName
+        [Parameter(ValueFromPipelineByPropertyName = false, Mandatory = false, HelpMessage = HelpMessages.WorkspaceItemType)]
+        [ValidateNotNullOrEmpty]
+        public WorkspaceItemType ItemType { get; set; }
+
+        [Parameter(ValueFromPipelineByPropertyName = false, Mandatory = false, HelpMessage = HelpMessages.WorkspaceItem)]
+        [ValidateNotNullOrEmpty]
+        public string Item { get; set; }
+
+        [Parameter(ValueFromPipelineByPropertyName = false, Mandatory = false, HelpMessage = HelpMessages.WorkspacePrincipalType)]
+        [ValidateNotNullOrEmpty]
+        public PrincipalType PrincipalType { get; set; }
+
         [Parameter(Mandatory = false, HelpMessage = HelpMessages.AsJob)]
         public SwitchParameter AsJob { get; set; }
 
@@ -122,9 +135,30 @@ public override void ExecuteCmdlet()
                 this.ObjectId = SynapseAnalyticsClient.GetObjectIdFromServicePrincipalName(this.ServicePrincipalName);
             }
 
+            string itemType = null;
+            if (this.IsParameterBound(c => c.ItemType))
+            {
+                itemType = this.ItemType.GetItemTypeString();
+            }
+
+            string principalType = null;
+            if (this.IsParameterBound(c => c.PrincipalType))
+            {
+                principalType = this.PrincipalType.GetPrincipalTypeString();
+            }
+
             if (this.ShouldProcess(this.WorkspaceName, String.Format(Resources.CreatingSynapseRoleAssignment, this.WorkspaceName, this.RoleDefinitionId, this.ObjectId)))
             {
-                PSRoleAssignmentDetails roleAssignmentDetails = new PSRoleAssignmentDetails(SynapseAnalyticsClient.CreateRoleAssignment(this.RoleDefinitionId, this.ObjectId));
+                // Item type and item should appear Report error if either item type or item is specified.
+                if ((!this.IsParameterBound(c => c.ItemType) && this.IsParameterBound(c => c.Item)) ||
+                    (this.IsParameterBound(c => c.ItemType) && !this.IsParameterBound(c => c.Item)))
+                {
+                    throw new AzPSInvalidOperationException(String.Format(Resources.WorkspaceItemTypeAndItemNotAppearTogether));
+                }
+
+                string roleAssignmentId = Guid.NewGuid().ToString();
+                string scope = SynapseAnalyticsClient.GetRoleAssignmentScope(this.WorkspaceName, itemType, this.Item);
+                PSRoleAssignmentDetails roleAssignmentDetails = new PSRoleAssignmentDetails(SynapseAnalyticsClient.CreateRoleAssignment(roleAssignmentId, this.RoleDefinitionId, this.ObjectId, scope, principalType));
                 WriteObject(roleAssignmentDetails);
             }
         }