From 5cad9897816e15e668748b63ea4daf0866e3d28e Mon Sep 17 00:00:00 2001 From: Xiaofan Zhou Date: Thu, 9 Jan 2025 14:23:51 +0800 Subject: [PATCH 1/3] add --system-identity for redis --- .../serviceconnector/_resource_config.py | 8 ++++---- .../command_modules/serviceconnector/_validators.py | 11 ++++++++++- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/src/azure-cli/azure/cli/command_modules/serviceconnector/_resource_config.py b/src/azure-cli/azure/cli/command_modules/serviceconnector/_resource_config.py index a4c83b6defe..ac9aee70b59 100644 --- a/src/azure-cli/azure/cli/command_modules/serviceconnector/_resource_config.py +++ b/src/azure-cli/azure/cli/command_modules/serviceconnector/_resource_config.py @@ -782,7 +782,7 @@ class CLIENT_TYPE(Enum): RESOURCE.Mysql: [AUTH_TYPE.Secret], RESOURCE.MysqlFlexible: [AUTH_TYPE.Secret, AUTH_TYPE.UserAccount], RESOURCE.Sql: [AUTH_TYPE.Secret, AUTH_TYPE.UserAccount], - RESOURCE.Redis: [AUTH_TYPE.SecretAuto], + RESOURCE.Redis: [AUTH_TYPE.SecretAuto, AUTH_TYPE.UserAccount, AUTH_TYPE.ServicePrincipalSecret], RESOURCE.RedisEnterprise: [AUTH_TYPE.SecretAuto], RESOURCE.CosmosCassandra: [AUTH_TYPE.SecretAuto, AUTH_TYPE.UserAccount, AUTH_TYPE.ServicePrincipalSecret], @@ -811,7 +811,7 @@ class CLIENT_TYPE(Enum): RESOURCE.Mysql: [AUTH_TYPE.Secret], RESOURCE.MysqlFlexible: [AUTH_TYPE.Secret, AUTH_TYPE.SystemIdentity, AUTH_TYPE.UserIdentity, AUTH_TYPE.ServicePrincipalSecret], RESOURCE.Sql: [AUTH_TYPE.Secret, AUTH_TYPE.SystemIdentity, AUTH_TYPE.UserIdentity, AUTH_TYPE.ServicePrincipalSecret], - RESOURCE.Redis: [AUTH_TYPE.SecretAuto], + RESOURCE.Redis: [AUTH_TYPE.SystemIdentity, AUTH_TYPE.UserIdentity, AUTH_TYPE.SecretAuto, AUTH_TYPE.ServicePrincipalSecret], RESOURCE.RedisEnterprise: [AUTH_TYPE.SecretAuto], RESOURCE.CosmosCassandra: [AUTH_TYPE.SystemIdentity, AUTH_TYPE.SecretAuto, AUTH_TYPE.UserIdentity, AUTH_TYPE.ServicePrincipalSecret], @@ -843,7 +843,7 @@ class CLIENT_TYPE(Enum): RESOURCE.Mysql: [AUTH_TYPE.Secret], RESOURCE.MysqlFlexible: [AUTH_TYPE.Secret, AUTH_TYPE.SystemIdentity, AUTH_TYPE.UserIdentity, AUTH_TYPE.ServicePrincipalSecret], RESOURCE.Sql: [AUTH_TYPE.Secret, AUTH_TYPE.SystemIdentity, AUTH_TYPE.UserIdentity, AUTH_TYPE.ServicePrincipalSecret], - RESOURCE.Redis: [AUTH_TYPE.SecretAuto], + RESOURCE.Redis: [AUTH_TYPE.SystemIdentity, AUTH_TYPE.UserIdentity, AUTH_TYPE.SecretAuto, AUTH_TYPE.ServicePrincipalSecret], RESOURCE.RedisEnterprise: [AUTH_TYPE.SecretAuto], RESOURCE.CosmosCassandra: [AUTH_TYPE.SystemIdentity, AUTH_TYPE.SecretAuto, AUTH_TYPE.UserIdentity, AUTH_TYPE.ServicePrincipalSecret], @@ -875,7 +875,7 @@ class CLIENT_TYPE(Enum): RESOURCE.Mysql: [AUTH_TYPE.Secret], RESOURCE.MysqlFlexible: [AUTH_TYPE.Secret], RESOURCE.Sql: [AUTH_TYPE.Secret], - RESOURCE.Redis: [AUTH_TYPE.SecretAuto], + RESOURCE.Redis: [AUTH_TYPE.WorkloadIdentity, AUTH_TYPE.SecretAuto, AUTH_TYPE.ServicePrincipalSecret], RESOURCE.RedisEnterprise: [AUTH_TYPE.SecretAuto], RESOURCE.CosmosCassandra: [AUTH_TYPE.WorkloadIdentity, AUTH_TYPE.SecretAuto, AUTH_TYPE.ServicePrincipalSecret], diff --git a/src/azure-cli/azure/cli/command_modules/serviceconnector/_validators.py b/src/azure-cli/azure/cli/command_modules/serviceconnector/_validators.py index aea5bc8258c..680b8508011 100644 --- a/src/azure-cli/azure/cli/command_modules/serviceconnector/_validators.py +++ b/src/azure-cli/azure/cli/command_modules/serviceconnector/_validators.py @@ -958,18 +958,27 @@ def validate_service_state(linker_parameters): if matched: target_type = target + auth_type = linker_parameters.get('auth_info', {}).get('auth_type') if target_type == RESOURCE.AppConfig and linker_parameters.get('auth_info', {}).get('auth_type') == 'secret': segments = parse_resource_id(target_id) rg = segments.get('resource_group') name = segments.get('name') + sub = segments.get('subscription') if not rg or not name: return - output = run_cli_cmd('az appconfig show -g "{}" -n "{}"'.format(rg, name)) + output = run_cli_cmd('az appconfig show -g "{}" -n "{}" --subscription "{}"'.format(rg, name, sub)) if output and output.get('disableLocalAuth') is True: raise ValidationError('Secret as auth type is not allowed when local auth is disabled for the ' 'specified appconfig, you may use service principal or managed identity.') + if target_type == RESOURCE.Redis: + if auth_type == AUTH_TYPE.Secret or auth_type == AUTH_TYPE.SecretAuto: + return + redis = run_cli_cmd('az redis show --ids "{}"'.format(target_id)) + if redis.get('redisConfiguration', {}).get('aadEnabled', 'False') != "True": + raise ValidationError('Please enable Microsoft Entra Authentication on your Redis first. Note that it will cause your cache instances to reboot to load new configuration and result in a failover. Consider performing the operation during low traffic or outside of business hours.') + def get_default_object_id_of_current_user(cmd, namespace): # pylint: disable=unused-argument user_account_auth_info = getattr(namespace, 'user_account_auth_info', None) From 4fb73231375cc4da4bcbab854f34c31355a6b96a Mon Sep 17 00:00:00 2001 From: Xiaofan Zhou Date: Mon, 13 Jan 2025 10:24:51 +0800 Subject: [PATCH 2/3] lint --- .../cli/command_modules/serviceconnector/_validators.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/azure-cli/azure/cli/command_modules/serviceconnector/_validators.py b/src/azure-cli/azure/cli/command_modules/serviceconnector/_validators.py index 680b8508011..71800bc1589 100644 --- a/src/azure-cli/azure/cli/command_modules/serviceconnector/_validators.py +++ b/src/azure-cli/azure/cli/command_modules/serviceconnector/_validators.py @@ -977,7 +977,10 @@ def validate_service_state(linker_parameters): return redis = run_cli_cmd('az redis show --ids "{}"'.format(target_id)) if redis.get('redisConfiguration', {}).get('aadEnabled', 'False') != "True": - raise ValidationError('Please enable Microsoft Entra Authentication on your Redis first. Note that it will cause your cache instances to reboot to load new configuration and result in a failover. Consider performing the operation during low traffic or outside of business hours.') + raise ValidationError('Please enable Microsoft Entra Authentication on your Redis first. ' + 'Note that it will cause your cache instances to reboot to load new ' + 'configuration and result in a failover. Consider performing the ' + 'operation during low traffic or outside of business hours.') def get_default_object_id_of_current_user(cmd, namespace): # pylint: disable=unused-argument From e5b1b22e1ae1b62aee5b3f7b3b318bbdb8641f30 Mon Sep 17 00:00:00 2001 From: Xiaofan Zhou Date: Mon, 13 Jan 2025 12:29:04 +0800 Subject: [PATCH 3/3] fix --- .../azure/cli/command_modules/serviceconnector/_validators.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/azure-cli/azure/cli/command_modules/serviceconnector/_validators.py b/src/azure-cli/azure/cli/command_modules/serviceconnector/_validators.py index 71800bc1589..4d49f93bd22 100644 --- a/src/azure-cli/azure/cli/command_modules/serviceconnector/_validators.py +++ b/src/azure-cli/azure/cli/command_modules/serviceconnector/_validators.py @@ -958,7 +958,6 @@ def validate_service_state(linker_parameters): if matched: target_type = target - auth_type = linker_parameters.get('auth_info', {}).get('auth_type') if target_type == RESOURCE.AppConfig and linker_parameters.get('auth_info', {}).get('auth_type') == 'secret': segments = parse_resource_id(target_id) rg = segments.get('resource_group') @@ -973,7 +972,8 @@ def validate_service_state(linker_parameters): 'specified appconfig, you may use service principal or managed identity.') if target_type == RESOURCE.Redis: - if auth_type == AUTH_TYPE.Secret or auth_type == AUTH_TYPE.SecretAuto: + auth_type = linker_parameters.get('auth_info', {}).get('auth_type') + if auth_type == AUTH_TYPE.Secret.value or auth_type == AUTH_TYPE.SecretAuto.value: return redis = run_cli_cmd('az redis show --ids "{}"'.format(target_id)) if redis.get('redisConfiguration', {}).get('aadEnabled', 'False') != "True":