[cosmosdb-preview] Add support for Table RBAC role definition and assignment CRUD actions (#8310)

* Updating cosmosdb_preview for 12.01 preview release cli

* Adding remaining changes from documentation to bump version

* working table api role definition tests

* Working table role assignment tests

* Cleaning up new resources and removing debugging helpers

* removing unused validator

* Adding help updates

* Fixing help

* Trying to fix param help

* Trying to fix param help

* Trying to fix param help

* Trying to fix param help

* Trying to fix param help

* Fixing version

* Removing azext.isPreview: true, as requested by github-actions bot

* Updating and rerecording tests with latest cli dev branch

* updating version to 1.2.0

* Changing version to be 1.2.0 as requested by github actions bot

* Chaning history.rst version from 1.3.0 to 1.2.0 as requested by reviewers

Author: etcriss

src/cosmosdb-preview/HISTORY.rst

@@ -1,7 +1,10 @@
 .. :changelog:
-
 Release History
 ===============
+1.2.0
+* Add support for Table RBAC role definition and assignment CRUD actions.
+
++++++++
 1.2.0b1
 * Add support for Throughput bucketing.
 

src/cosmosdb-preview/azext_cosmosdb_preview/_help.py

@@ -1086,3 +1086,154 @@
         text: |-
                az cosmosdb table restore --resource-group resource_group --account-name database_account_name --table-name name_of_table_needs_to_be_restored --restore-timestamp 2020-07-13T16:03:41+0000
 """
+
+helps['cosmosdb table role'] = """
+type: group
+short-summary: Manage Azure Cosmos DB Table role resources.
+"""
+
+helps['cosmosdb table role definition'] = """
+type: group
+short-summary: Manage Azure Cosmos DB Table role definitions.
+"""
+
+helps['cosmosdb table role definition create'] = """
+type: command
+short-summary: Create a Table role definition under an Azure Cosmos DB account.
+examples:
+  - name: Create a Table role definition under an Azure Cosmos DB account using a JSON string.
+    text: |
+      az cosmosdb table role definition create --account-name MyAccount --resource-group MyResourceGroup --body '{
+        "Id": "be79875a-2cc4-40d5-8958-566017875b39",
+        "RoleName": "My Read Only Role",
+        "Type": "CustomRole",
+        "AssignableScopes": ["/dbs/mydb/colls/mycontainer"],
+        "Permissions": [{
+          "DataActions": [
+            "Microsoft.DocumentDB/databaseAccounts/readMetadata",
+            "Microsoft.DocumentDB/databaseAccounts/tables/containers/entities/read",
+            "Microsoft.DocumentDB/databaseAccounts/tables/containers/executeQuery",
+            "Microsoft.DocumentDB/databaseAccounts/tables/containers/readChangeFeed"
+          ]
+        }]
+      }'
+  - name: Create a Table role definition under an Azure Cosmos DB account using a JSON file.
+    text: az cosmosdb table role definition create --account-name MyAccount --resource-group MyResourceGroup --body @role-definition.json
+"""
+
+helps['cosmosdb table role definition delete'] = """
+type: command
+short-summary: Delete a Table role definition under an Azure Cosmos DB account.
+examples:
+  - name: Delete a Table role definition under an Azure Cosmos DB account.
+    text: az cosmosdb table role definition delete --account-name MyAccount --resource-group MyResourceGroup --role-definition-id be79875a-2cc4-40d5-8958-566017875b39
+"""
+
+helps['cosmosdb table role definition exists'] = """
+type: command
+short-summary: Check if an Azure Cosmos DB role definition exists.
+examples:
+  - name: Check if an Azure Cosmos DB role definition exists.
+    text: az cosmosdb table role definition exists --account-name MyAccount --resource-group MyResourceGroup --role-definition-id be79875a-2cc4-40d5-8958-566017875b39
+"""
+
+helps['cosmosdb table role definition list'] = """
+type: command
+short-summary: List all Table role definitions under an Azure Cosmos DB account.
+examples:
+  - name: List all Table role definitions under an Azure Cosmos DB account.
+    text: az cosmosdb table role definition list --account-name MyAccount --resource-group MyResourceGroup
+"""
+
+helps['cosmosdb table role definition show'] = """
+type: command
+short-summary: Show the properties of a Table role definition under an Azure Cosmos DB account.
+examples:
+  - name: Show the properties of a Table role definition under an Azure Cosmos DB account.
+    text: az cosmosdb table role definition show --account-name MyAccount --resource-group MyResourceGroup --role-definition-id be79875a-2cc4-40d5-8958-566017875b39
+"""
+
+helps['cosmosdb table role definition update'] = """
+type: command
+short-summary: Update a Table role definition under an Azure Cosmos DB account.
+examples:
+  - name: Update a Table role definition under an Azure Cosmos DB account.
+    text: az cosmosdb table role definition update --account-name MyAccount --resource-group MyResourceGroup --body @role-definition.json
+"""
+
+helps['cosmosdb table role assignment'] = """
+type: group
+short-summary: Manage Azure Cosmos DB Table role assignments.
+"""
+
+helps['cosmosdb table role assignment create'] = """
+type: command
+short-summary: Create a Table role assignment under an Azure Cosmos DB account.
+examples:
+  - name: Create a Table role assignment under an Azure Cosmos DB account using Role Definition Name.
+    text: |
+      az cosmosdb table role assignment create --account-name MyAccount --resource-group MyResourceGroup \\
+        --role-assignment-id cb8ed2d7-2371-4e3c-bd31-6cc1560e84f8 \\
+        --role-definition-name "My Read Only Role" \\
+        --scope "/dbs/mydb/colls/mycontainer" \\
+        --principal-id 6328f5f7-dbf7-4244-bba8-fbb9d8066506
+  - name: Create a Table role assignment under an Azure Cosmos DB account using Role Definition ID.
+    text: |
+      az cosmosdb table role assignment create --account-name MyAccount --resource-group MyResourceGroup \\
+        --role-assignment-id cb8ed2d7-2371-4e3c-bd31-6cc1560e84f8 \\
+        --role-definition-id be79875a-2cc4-40d5-8958-566017875b39 \\
+        --scope "/dbs/mydb/colls/mycontainer" \\
+        --principal-id 6328f5f7-dbf7-4244-bba8-fbb9d8066506
+"""
+
+helps['cosmosdb table role assignment delete'] = """
+type: command
+short-summary: Delete a Table role assignment under an Azure Cosmos DB account.
+examples:
+  - name: Delete a Table role assignment under an Azure Cosmos DB account.
+    text: az cosmosdb table role assignment delete --account-name MyAccount --resource-group MyResourceGroup --role-assignment-id cb8ed2d7-2371-4e3c-bd31-6cc1560e84f8
+"""
+
+helps['cosmosdb table role assignment exists'] = """
+type: command
+short-summary: Check if an Azure Cosmos DB role assignment exists.
+examples:
+  - name: Check if an Azure Cosmos DB role assignment exists.
+    text: az cosmosdb table role assignment exists --account-name MyAccount --resource-group MyResourceGroup --role-assignment-id cb8ed2d7-2371-4e3c-bd31-6cc1560e84f8
+"""
+
+helps['cosmosdb table role assignment list'] = """
+type: command
+short-summary: List all Table role assignments under an Azure Cosmos DB account.
+examples:
+  - name: List all Table role assignments under an Azure Cosmos DB account.
+    text: az cosmosdb table role assignment list --account-name MyAccount --resource-group MyResourceGroup
+"""
+
+helps['cosmosdb table role assignment show'] = """
+type: command
+short-summary: Show the properties of a Table role assignment under an Azure Cosmos DB account.
+examples:
+  - name: Show the properties of a Table role assignment under an Azure Cosmos DB account.
+    text: az cosmosdb table role assignment show --account-name MyAccount --resource-group MyResourceGroup --role-assignment-id cb8ed2d7-2371-4e3c-bd31-6cc1560e84f8
+"""
+
+helps['cosmosdb table role assignment update'] = """
+type: command
+short-summary: Update a Table role assignment under an Azure Cosmos DB account.
+examples:
+  - name: Update a Table role assignment under an Azure Cosmos DB account using Role Definition Name.
+    text: |
+      az cosmosdb table role assignment update --account-name MyAccount --resource-group MyResourceGroup \\
+        --role-assignment-id cb8ed2d7-2371-4e3c-bd31-6cc1560e84f8 \\
+        --role-definition-name "My Read Only Role" \\
+        --scope "/dbs/mydb/colls/mycontainer" \\
+        --principal-id 6328f5f7-dbf7-4244-bba8-fbb9d8066506
+  - name: update a Table role assignment under an Azure Cosmos DB account using Role Definition ID.
+    text: |
+      az cosmosdb table role assignment update --account-name MyAccount --resource-group MyResourceGroup \\
+        --role-assignment-id cb8ed2d7-2371-4e3c-bd31-6cc1560e84f8 \\
+        --role-definition-id be79875a-2cc4-40d5-8958-566017875b39 \\
+        --scope "/dbs/mydb/colls/mycontainer" \\
+        --principal-id 6328f5f7-dbf7-4244-bba8-fbb9d8066506
+"""

src/cosmosdb-preview/azext_cosmosdb_preview/_params.py

@@ -17,7 +17,10 @@
     validate_mongo_role_definition_body,
     validate_mongo_role_definition_id,
     validate_mongo_user_definition_body,
-    validate_mongo_user_definition_id)
+    validate_mongo_user_definition_id,
+    validate_table_role_definition_body,
+    validate_table_role_definition_id,
+    validate_table_role_assignment_id)
 
 from azext_cosmosdb_preview.actions import (
     CreateGremlinDatabaseRestoreResource,
@@ -55,6 +58,24 @@
     validate_client_encryption_policy)
 
 
+TABLE_ROLE_DEFINITION_EXAMPLE = """--body "{
+\\"Id\\": \\"be79875a-2cc4-40d5-8958-566017875b39\\",
+\\"RoleName\\": \\"MyTestRole\\",
+\\"type\\": \\"CustomRole\\",
+\\"description\\": \\"Custom role to read Cosmos DB metadata\\",
+\\"AssignableScopes\\":[\\"/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.DocumentDB/databaseAccounts/MyDBAccountName\\"],
+\\"Permissions\\": [{\\"dataActions\\": [\\"Microsoft.DocumentDB/databaseAccounts/readMetadata\\"]}]
+}"
+"""
+
+TABLE_ROLE_ASSIGNMENT_EXAMPLE = """--body "{
+\\"Id\\": \\"be79875a-2cc4-40d5-8958-566017875b39\\",
+\\"RoleDefinitionId\\": \\"MyTestRoleAssignment\\",
+\\"PrincipalId\\": \\"efc9875a-2cc4-40d5-8958-566017875b39\\",
+\\"Scope\\":\\"/subscriptions/cfe9875a-2cc4-40d5-8958-566017875b39/resourceGroups/MyResourceGroup/providers/Microsoft.DocumentDB/databaseAccounts/MyDBAccountName\\",
+}"
+"""
+
 MONGO_ROLE_DEFINITION_EXAMPLE = """--body "{
 \\"Id\\": \\"be79875a-2cc4-40d5-8958-566017875b39\\",
 \\"RoleName\\": \\"MyRWRole\\",
@@ -652,3 +673,17 @@ def load_arguments(self, _):
         c.argument('table_name', options_list=['--table-name', '-n'], required=True, help='Name of the CosmosDB Table name')
         c.argument('restore_timestamp', options_list=['--restore-timestamp', '-t'], action=UtcDatetimeAction, help="The timestamp to which the Table needs to be restored to.", required=False)
         c.argument('disable_ttl', options_list=['--disable-ttl'], arg_type=get_three_state_flag(), help="Enable or disable restoring with ttl disabled.", is_preview=True, required=False)
+
+    # table role definition
+    with self.argument_context('cosmosdb table role definition') as c:
+        c.argument('account_name', account_name_type, id_part=None)
+        c.argument('role_definition_id', options_list=['--role-definition-id', '-i'], validator=validate_table_role_definition_id, help="Unique ID for the Table Role Definition.")
+        c.argument('table_role_definition_body', options_list=['--body', '-b'], validator=validate_table_role_definition_body, completer=FilesCompleter(), help="Role Definition body with Id (Optional for create), Type (Default is CustomRole), RoleName, Description, AssignableScopes, Permissions.  You can enter it as a string or as a file, e.g., --body @table-role_definition-body-file.json or " + TABLE_ROLE_DEFINITION_EXAMPLE)
+
+    with self.argument_context('cosmosdb table role assignment') as c:
+        c.argument('account_name', account_name_type, id_part=None)
+        c.argument('role_assignment_id', options_list=['--role-assignment-id', '-i'], validator=validate_table_role_assignment_id, help="Optional for Create. Unique ID for the Role Assignment. If not provided, a new GUID will be used.")
+        c.argument('role_definition_id', options_list=['--role-definition-id', '-d'], help="Unique ID of the Role Definition that this Role Assignment refers to.")
+        c.argument('role_definition_name', options_list=['--role-definition-name', '-n'], help="Unique Name of the Role Definition that this Role Assignment refers to. Eg. 'Contoso Reader Role'.")
+        c.argument('scope', options_list=['--scope', '-s'], help="Data plane resource path at which this Role Assignment is being granted.")
+        c.argument('principal_id', options_list=['--principal-id', '-p'], help="AAD Object ID of the principal to which this Role Assignment is being granted.")

src/cosmosdb-preview/azext_cosmosdb_preview/_validators.py

@@ -245,3 +245,47 @@ def validate_mongo_user_definition_id(ns):
     """ Extracts Guid user definition Id """
     if ns.mongo_user_definition_id is not None:
         ns.mongo_user_definition_id = _parse_resource_path(ns.mongo_user_definition_id, False, "mongodbUserDefinitions")
+
+
+def validate_table_role_definition_body(cmd, ns):
+    """ Extracts role definition body """
+    from azext_cosmosdb_preview.vendored_sdks.azure_mgmt_cosmosdb.models import RoleDefinitionType
+    from azure.cli.core.util import get_file_json, shell_safe_json_parse
+    import os
+
+    if ns.table_role_definition_body is not None:
+        if os.path.exists(ns.table_role_definition_body):
+            table_role_definition = get_file_json(ns.table_role_definition_body)
+        else:
+            table_role_definition = shell_safe_json_parse(ns.table_role_definition_body)
+
+        if not isinstance(table_role_definition, dict):
+            raise InvalidArgumentValueError(
+                'Role creation failed. Invalid table role definition. A valid dictionary JSON representation is expected.')
+
+        if 'RoleName' not in table_role_definition or not isinstance(table_role_definition['RoleName'], str) or len(table_role_definition['RoleName']) == 0:
+            raise InvalidArgumentValueError(
+                'Role creation failed. Invalid table role name. A valid string role name is expected.')
+                            
+        if 'AssignableScopes' not in table_role_definition or not isinstance(table_role_definition['AssignableScopes'], list) or len(table_role_definition['AssignableScopes']) == 0:
+            raise InvalidArgumentValueError(
+                'Role creation failed. Invalid Table role definition for AssignableScopes. A valid list of strings is expected.')        
+        
+        if 'Permissions' not in table_role_definition or not isinstance(table_role_definition['Permissions'], list) or len(table_role_definition['Permissions']) == 0:
+            raise InvalidArgumentValueError(
+                'Role creation failed. Invalid Table role Permissions. A valid List JSON representation is expected.')
+
+        if 'Type' not in table_role_definition:
+            table_role_definition['Type'] = RoleDefinitionType.custom_role
+
+        ns.table_role_definition_body = table_role_definition
+
+def validate_table_role_definition_id(ns):
+    """ Extracts Guid role definition Id """
+    if ns.role_definition_id is not None:
+        ns.role_definition_id = _parse_resource_path(ns.role_definition_id, False, "tableRoleDefinitions")
+        
+def validate_table_role_assignment_id(ns):
+    """ Extracts Guid role assignment Id """
+    if ns.role_assignment_id is not None:
+        ns.role_assignment_id = _parse_resource_path(ns.role_assignment_id, False, "tableRoleAssignments")

src/cosmosdb-preview/azext_cosmosdb_preview/azext_metadata.json

@@ -1,4 +1,3 @@
 {
-    "azext.isPreview": true,
     "azext.minCliCoreVersion": "2.17.1"
 }

src/cosmosdb-preview/azext_cosmosdb_preview/commands.py

@@ -49,6 +49,10 @@ def load_command_table(self, _):
     cosmosdb_sql_sdk = CliCommandType(
         operations_tmpl='azure.mgmt.cosmosdb.operations#SqlResourcesOperations.{}',
         client_factory=cf_sql_resources)
+        
+    cosmosdb_rbac_table_sdk = CliCommandType(
+        operations_tmpl='azext_cosmosdb_preview.vendored_sdks.azure_mgmt_cosmosdb.operations#TableResourcesOperations.{}',
+        client_factory=cf_table_resources)
 
     with self.command_group('managed-cassandra cluster', cosmosdb_managed_cassandra_cluster_sdk, client_factory=cf_cassandra_cluster) as g:
         g.custom_command('create', 'cli_cosmosdb_managed_cassandra_cluster_create', supports_no_wait=True)
@@ -94,6 +98,22 @@ def load_command_table(self, _):
         g.custom_command('create', 'cli_cosmosdb_sql_container_create')
         g.custom_command('update', 'cli_cosmosdb_sql_container_update')
 
+    with self.command_group('cosmosdb table role definition', cosmosdb_rbac_table_sdk, client_factory=cf_table_resources) as g:
+        g.custom_command('create', 'cli_cosmosdb_table_role_definition_create')
+        g.custom_command('update', 'cli_cosmosdb_table_role_definition_update')
+        g.custom_command('exists', 'cli_cosmosdb_table_role_definition_exists')
+        g.command('list', 'list_table_role_definitions')
+        g.show_command('show', 'get_table_role_definition')
+        g.command('delete', 'begin_delete_table_role_definition', confirmation=True)        
+    
+    with self.command_group('cosmosdb table role assignment', cosmosdb_rbac_table_sdk, client_factory=cf_table_resources) as g:
+        g.custom_command('create', 'cli_cosmosdb_table_role_assignment_create')
+        g.custom_command('update', 'cli_cosmosdb_table_role_assignment_update')
+        g.custom_command('exists', 'cli_cosmosdb_table_role_assignment_exists')
+        g.command('list', 'list_table_role_assignments')
+        g.show_command('show', 'get_table_role_assignment')
+        g.command('delete', 'begin_delete_table_role_assignment', confirmation=True)
+
     # restorable accounts api sdk
     cosmosdb_sdk = CliCommandType(
         operations_tmpl='azext_cosmosdb_preview.vendored_sdks.azure_mgmt_cosmosdb.operations#DatabaseAccountsOperations.{}',