-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth: support service principal sn+issuer auth #7609
Conversation
@tjprescott @williexu, can one of you help take a look? |
src/azure-cli-core/HISTORY.rst
Outdated
|
||
2.0.49 | ||
++++++ | ||
* auth: support service principal sn+issuer auth |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is duplicated. Should only be in 2.0.50.
@@ -193,9 +195,10 @@ def find_subscriptions_on_login(self, | |||
if is_service_principal: | |||
if not tenant: | |||
raise CLIError('Please supply tenant using "--tenant"') | |||
sp_auth = ServicePrincipalAuth(password) | |||
sp_auth = ServicePrincipalAuth(password, use_sn_issuer) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is "sn"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It means certificate subject name :). This abbreviation is used in the auth flow doc across, so i just use it. I know there is a risk it could be taken as serial number, so I used the full term in the command help.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let me rename to --use-cert-sn-issuer
to make it a bit more clear
@@ -96,6 +96,10 @@ def login(cmd, username=None, password=None, service_principal=None, tenant=None | |||
raise CLIError("usage error: '--identity' is not applicable with other arguments") | |||
if any([password, service_principal, username, identity]) and use_device_code: | |||
raise CLIError("usage error: '--use-device-code' is not applicable with other arguments") | |||
if use_sn_issuer and not service_principal: | |||
raise CLIError("usage error: '--use-sn-issuer' is only appliable with a service principal") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: "applicable"
1291127
to
69f00ae
Compare
if use_cert_sn_issuer and not service_principal: | ||
raise CLIError("usage error: '--use-sn-issuer' is only applicable with a service principal") | ||
if service_principal and not username: | ||
raise CLIError('usage error: --service-principal --username NAME --password SECRET -t TENANT') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we use the full option --tenant
here?
2.0.50 | ||
++++++ | ||
* Fix issue where update commands using `--remove` and `--ids` fail after first update is applied to first resource in ids list. | ||
* auth: support service principal sn+issuer auth |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was the previous history change unnecessary to include in History.rst
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The deleted history entry was part of 2.0.49.
The goal is to support automatic certificate rolls. The tenant must be pre-configured with only accepting certain issuers such as AME.
Mark it as
do not merge
as we are waiting for a new release of adal to have the capacity. Once it happens, i will update the PR with test coverage.The PR has modified HISTORY.rst describing any customer-facing, functional changes. Note that this does not include changes only to help content. (see Modifying change log).
I adhere to the Command Guidelines.