[Role] Migrate azure-mgmt-authorization SDK to Track 2 and bump API version to 2022-04-01

[jiasli]

Related command
az role

Description
Close #23372
Migrate azure-mgmt-authorization SDK to Track 2 and bump API Version to 2022-04-01:

• role_assignments: 2020-04-01-preview -> 2022-04-01
• role_definitions: 2018-01-01-preview -> 2022-04-01

Breaking changes in azure-mgmt-authorization SDK

For SDK version 0.61.0 (Track 1) -> 3.0.0 (Track 2):

• 1-1: definitions_client.config and assignments_client.config are changed to definitions_client._config and assignments_client._config.
• 1-2: custom_headers are changed to headers.
• 1-3: When a REST call fails, the error is changed from msrestazure.azure_exceptions.CloudError to azure.core.exceptions.HttpResponseError

For API version 2020-04-01-preview -> 2022-04-01:

• 2-1: RoleAssignmentsOperations changes list method to list_for_subscription.
• 2-2: RoleAssignmentCreateParameters.principal_type's default value is changed from None to User ([Role] RoleAssignmentProperties.principalType should not have default value User azure-rest-api-specs#21664)

For API version 2015-07-01:

• 3-1: ProviderOperationsMetadataOperations.get changes api_version from positional argument to keyword argument.

[jiasli]

For breaking change 1-1, Track 2 now makes config a protected attribute as _config. I can't find a better way to extract subscription ID from the SDK client.

This pattern has already been used by resource command module:

azure-cli/src/azure-cli/azure/cli/command_modules/resource/custom.py

Lines 3551 to 3552 in 1b62d20

	subscriptionId=serialize.url(
	"self._config.subscription_id", self.rcf.resources._config.subscription_id, 'str'),

Another option is to let get_mgmt_service_client return the subscription ID during client creation:

azure-cli/src/azure-cli-core/azure/cli/core/commands/client_factory.py

Lines 50 to 51 in 21266e0

	def get_mgmt_service_client(cli_ctx, client_or_resource_type, subscription_id=None, api_version=None,
	aux_subscriptions=None, aux_tenants=None, credential=None, **kwargs):

but this is such a big breaking change that it will affect almost all command modules and extension which use get_mgmt_service_client to create a client.

[jiasli]

This change was mentioned in doc: https://github.com/Azure/azure-cli/blob/dev/doc/track_2_migration_guidance.md#obtaining-subscription

However, the doc is not accurate as the subscription used to create the client (possibly via --subscription) may not be the same as the current subscription. Assuming the subscription used to create the client being the same as the current subscription can introduce bugs very difficult to track down.

[yonzhan]

Migrate azure-mgmt-authorization SDK to Track 2

[jiasli]

Affected modules: vm aro iot acs resource

[jiasli]

I accidentally discovered a problem with ams module due to breaking change 2-1, when searching for occurrences of 2020-04-01-preview API.

In 2022-04-01, RoleAssignmentsOperations changes list method to list_for_subscription:

https://github.com/Azure/azure-rest-api-specs/blob/b02ad2011daebdaa4ffc1b0b338181a464d49c47/specification/authorization/resource-manager/Microsoft.Authorization/preview/2020-04-01-preview/authorization-RoleAssignmentsCalls.json#L392-L397

    "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments": {
      "get": {
        "tags": [
          "RoleAssignments"
        ],
        "operationId": "RoleAssignments_List",

https://github.com/Azure/azure-rest-api-specs/blob/495363bc011ce917f579adc1a5209073565d37f4/specification/authorization/resource-manager/Microsoft.Authorization/stable/2022-04-01/authorization-RoleAssignmentsCalls.json#L37-L42

    "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments": {
      "get": {
        "tags": [
          "RoleAssignments"
        ],
        "operationId": "RoleAssignments_ListForSubscription",

so this line will fail:

azure-cli/src/azure-cli/azure/cli/command_modules/ams/operations/sp.py

Line 299 in 8058c09

assignments = list(assignments_client.list(filter=f))

However, the retry decorator has a bug:

azure-cli/src/azure-cli/azure/cli/command_modules/ams/operations/sp.py

Lines 245 to 258 in 8058c09

	for retry_time in range(0, _RETRY_TIMES):
	try:
	return func(*args, **kwargs)
	break # pylint: disable=unreachable
	except Exception as ex: # pylint: disable=broad-except
	if retry_time < _RETRY_TIMES:
	time.sleep(5)
	logger.warning('Retrying %s creation: %s/%s', kwargs['entity_name_string'],
	retry_time + 1, _RETRY_TIMES)
	else:
	logger.warning("Creating %s failed for appid. Trace followed:\n%s",
	kwargs['entity_name_string'], ex.response.headers if hasattr(ex, 'response') else ex)
	# pylint: disable=no-member
	raise

retry_time will always be < _RETRY_TIMES, so line 255 will never be hit and the error will be silenced.

See the doc for range: https://docs.python.org/3/library/stdtypes.html#typesseq-range

[jiasli]

This is to handle breaking change 3-1.

[jiasli]

I discovered a problem with iot module:

azure-cli/src/azure-cli/azure/cli/command_modules/iot/custom.py

Lines 588 to 590 in 9ef066f

	create = client.iot_hub_resource.begin_create_or_update(resource_group_name, hub_name, hub_description, polling=True)
	if identity_role and identity_scopes:
	create.add_done_callback(identity_assignment)

polling=True causes SDK to start a separate thread to do the LRO polling. Even if identity_assignment fails, it fails in that separate thread, so the main thread running the CLI command still succeeds, which is not expected.

[jiasli]

This is to handle breaking change 1-3.

[jiasli]

This is to handle breaking change 1-2.

[jiasli]

This is to handle breaking change 2-2.

[evelyn-ys]

Suggested change

'role_definitions': '2022-04-01',

We can simply remove this line if role_definitions uses the same API version with default one~

[jiasli]

role_definitions frequently diverges from role_assignments:

azure-cli/src/azure-cli/azure/cli/command_modules/role/_multi_api_adaptor.py

Lines 62 to 65 in 5f40c5e

	# 2015-07-01 RoleDefinition: flattened, RoleAssignment: unflattened
	# 2018-01-01-preview RoleDefinition: flattened
	# 2020-04-01-preview RoleAssignment: flattened
	# Get property_name from properties if the model is unflattened.

so it is merely a placeholder.

[jiasli]

role_definitions will again diverge from role_assignments: #26577