Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Key Vault Admin] Convenience layer - KeyVaultAccessControlClient #10815

Merged

Conversation

sadasant
Copy link
Contributor

@sadasant sadasant commented Aug 24, 2020

Convenience layer for the AccessControlClient.
After this PR, I'll make another one for the BackupClient.

You can see the rendered version of the latest API review file by going to this link: https://github.com/sadasant/azure-sdk-for-js/blob/keyvault-admin/10799-convenience-layer/sdk/keyvault/keyvault-admin/review/keyvault-admin.api.md

This API is based on the .Net's API: https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs (with some language-specific considerations).

IMPORTANT:

  • For .Net, this client is called KeyVaultAccessControlClient. Since none of the other clients in KeyVault start with KeyVault (as in, KeyClient), it seemed appropriate to name ours AccessControlClient. Agreed on naming it KeyVaultAccessControlClient.
  • I'm intentionally not using the spread operator, to ensure the translation of properties is as clear as possible.
  • I had to enforce a bunch of properties of several types. The swagger doesn't say so, but they seem to be required by the service, and other languages are doing the same.

Many things are still missing from the keyvault-admin folder, so keep in mind that this is an incremental effort.

Part of #10799
Closes #7279

@sadasant sadasant self-assigned this Aug 24, 2020
@ghost ghost added the KeyVault label Aug 24, 2020
@sadasant sadasant requested a review from christothes August 24, 2020 23:03
@sadasant sadasant marked this pull request as ready for review August 25, 2020 10:41
@sadasant sadasant requested a review from heaths August 25, 2020 17:03
@sadasant sadasant changed the title [Key Vault Admin] Convenience layer - AccessControlClient [Key Vault Admin] Convenience layer - KeyVaultAccessControlClient Aug 27, 2020
Copy link
Member

@xirzec xirzec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The convenience client looks great!

I left some minor API feedback and a few code nits.

}

// @public
export type RoleAssignmentScope = "/" | "/keys" | string;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this feels like a weird type, though I'm not sure what would be better

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The string part is because it accepts UUIDs. I wonder if we could have some UUID validator as a type? That would be generally helpful in our clients.

sdk/keyvault/keyvault-admin/review/keyvault-admin.api.md Outdated Show resolved Hide resolved
sdk/keyvault/keyvault-admin/src/accessControlClient.ts Outdated Show resolved Hide resolved
sdk/keyvault/keyvault-admin/src/accessControlClient.ts Outdated Show resolved Hide resolved
sdk/keyvault/keyvault-admin/src/accessControlClient.ts Outdated Show resolved Hide resolved
sdk/keyvault/keyvault-admin/src/accessControlModels.ts Outdated Show resolved Hide resolved
sdk/keyvault/keyvault-admin/src/accessControlModels.ts Outdated Show resolved Hide resolved
sdk/keyvault/keyvault-admin/src/accessControlModels.ts Outdated Show resolved Hide resolved
Copy link

@iscai-msft iscai-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mainly left comments on where python differs, not saying what we're doing is correct htough

// @public
export class KeyVaultAccessControlClient {
constructor(vaultUrl: string, credential: TokenCredential, pipelineOptions?: AccessControlClientOptions);
createRoleAssignment(roleScope: RoleAssignmentScope, name: string, roleDefinitionId: string, principalId: string, options?: CreateRoleAssignmentOptions): Promise<KeyVaultRoleAssignment>;

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in python we have it as role_assignment_name

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same for every name parameter for role assignments

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.Net is using name. I don't mind, but I'd rather reach to an agreement with @heaths , @christothes

}

// @public
export interface KeyVaultRoleAssignment {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

python has KeyVaultRoleAssignment


// @public
export interface KeyVaultRoleAssignment {
readonly id: string;

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for python we have assignment_id

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO - id is contextually a property of the KeyVaultRoleAssignment and shouldn't need a prefix.

}

// @public
export interface KeyVaultRoleDefinition {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

python has KeyVaultRoleDefinition

sdk/keyvault/keyvault-admin/review/keyvault-admin.api.md Outdated Show resolved Hide resolved
sdk/keyvault/keyvault-admin/src/constants.ts Outdated Show resolved Hide resolved
@sadasant sadasant merged commit ab6907c into Azure:master Sep 4, 2020
@sadasant sadasant deleted the keyvault-admin/10799-convenience-layer branch September 4, 2020 17:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[keyvault-admin] Support Role-based Access Control (RBAC) for data plane via new KeyVaultAccessControlClient
7 participants