Custom role definitions for MHSM

[daviddesberg]

MSFT employees can try out our new experience at OpenAPI Hub - one location for using our validation tools and finding your workflow.

Contribution checklist:

• I commit to follow the Breaking Change Policy of “no breaking changes
• I have reviewed the documentation for the workflow.
• Validation tools were run on swagger spec(s) and errors have all been fixed in this PR. How to fix?

If any further question about AME onboarding or validation tools, please view the FAQ.

ARM API Review Checklist

• Ensure to check this box if one of the following scenarios meet updates in the PR, so that label “WaitForARMFeedback” will be added automatically to involve ARM API Review. Failure to comply may result in delays for manifest application. Note this does not apply to data plane APIs, all “removals” and “adding a new property” no more require ARM API review.

  • Adding new API(s)
  • Adding a new API version
  • Adding a new service

• Please ensure you've reviewed following guidelines including ARM resource provider contract and REST guidelines. Estimated time (4 hours). This is required before you can request review from ARM API Review board.

• If you are blocked on ARM review and want to get the PR merged with urgency, please get the ARM oncall for reviews (RP Manifest Approvers team under Azure Resource Manager service) from IcM and reach out to them.

Breaking Change Review Checklist

If there are following updates in the PR, ensure to request an approval from API Review Board as defined in the Breaking Change Policy.

• Removing API(s) in stable version
• Removing properties in stable version
• Removing API version(s) in stable version
• Updating API in stable version with Breaking Change Validation errors
• Updating API(s) in preview over 1 year

Please follow the link to find more details on PR review process.

[openapi-pipeline-app]

Swagger Validation Report

️️✔️BreakingChange succeeded [Detail] [Expand]

There are no breaking changes.

• Compared Swaggers (Based on Oad v0.8.1)
  • original: preview/7.2-preview/rbac.json <---> new: preview/7.2-preview/rbac.json

️⚠️LintDiff: 1 Warnings warning [Detail]

• Linted configuring files (Based on source branch, openapi-validator v1.6.0 , classic-openapi-validator v1.1.5 )
  • keyvault/data-plane/readme.md tag:package-7.2-preview
• Linted configuring files (Based on target branch, openapi-validator v1.6.0 , classic-openapi-validator v1.1.5 )
  • keyvault/data-plane/readme.md tag:package-7.2-preview

Rule	Message
⚠️ R2001 - AvoidNestedProperties	Consider using x-ms-client-flatten to provide a better end user experience New: Microsoft.KeyVault/preview/7.2-preview/rbac.json#L519

️❌Avocado: 50 Errors, 0 Warnings failed [Detail]

Only 10 items are listed, please refer to log for more details.

Rule	Message
❌ JSON_PARSE	The file is not a valid JSON file. json: [preview/7.2-preview/examples/DeleteRoleDefinition-example.json"}]({"kind":"structure","code":"unexpected token","position":{"line":21,"column":25},"token":"}","message":"unexpected token, token: }, line: 21, column: 25","url":"/home/vsts/work/1/c93b354fd9c14905bb574a8834c4d69b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/DeleteRoleDefinition-example.json"})
❌ JSON_PARSE	The file is not a valid JSON file. json: [preview/7.2-preview/examples/DeleteRoleDefinition-example.json"}]({"kind":"structure","code":"unexpected token","position":{"line":22,"column":21},"token":"]","message":"unexpected token, token: ], line: 22, column: 21","url":"/home/vsts/work/1/c93b354fd9c14905bb574a8834c4d69b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/DeleteRoleDefinition-example.json"})
❌ JSON_PARSE	The file is not a valid JSON file. json: [preview/7.2-preview/examples/DeleteRoleDefinition-example.json"}]({"kind":"structure","code":"unexpected token","position":{"line":23,"column":17},"token":"}","message":"unexpected token, token: }, line: 23, column: 17","url":"/home/vsts/work/1/c93b354fd9c14905bb574a8834c4d69b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/DeleteRoleDefinition-example.json"})
❌ JSON_PARSE	The file is not a valid JSON file. json: [preview/7.2-preview/examples/DeleteRoleDefinition-example.json"}]({"kind":"structure","code":"unexpected token","position":{"line":23,"column":18},"token":",","message":"unexpected token, token: ,, line: 23, column: 18","url":"/home/vsts/work/1/c93b354fd9c14905bb574a8834c4d69b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/DeleteRoleDefinition-example.json"})
❌ JSON_PARSE	The file is not a valid JSON file. json: [preview/7.2-preview/examples/DeleteRoleDefinition-example.json"}]({"kind":"structure","code":"unexpected token","position":{"line":28,"column":9},"token":"}","message":"unexpected token, token: }, line: 28, column: 9","url":"/home/vsts/work/1/c93b354fd9c14905bb574a8834c4d69b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/DeleteRoleDefinition-example.json"})
❌ JSON_PARSE	The file is not a valid JSON file. json: [preview/7.2-preview/examples/DeleteRoleDefinition-example.json"}]({"kind":"structure","code":"unexpected token","position":{"line":29,"column":5},"token":"}","message":"unexpected token, token: }, line: 29, column: 5","url":"/home/vsts/work/1/c93b354fd9c14905bb574a8834c4d69b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/DeleteRoleDefinition-example.json"})
❌ JSON_PARSE	The file is not a valid JSON file. json: [preview/7.2-preview/examples/DeleteRoleDefinition-example.json"}]({"kind":"structure","code":"unexpected token","position":{"line":30,"column":1},"token":"}","message":"unexpected token, token: }, line: 30, column: 1","url":"/home/vsts/work/1/c93b354fd9c14905bb574a8834c4d69b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/DeleteRoleDefinition-example.json"})
❌ JSON_PARSE	The file is not a valid JSON file. json: [preview/7.2-preview/examples/DeleteRoleDefinition-example.json"}]({"kind":"structure","code":"unexpected end of file","position":{"line":18,"column":36},"token":"]","message":"unexpected end of file, token: ], line: 18, column: 36","url":"/home/vsts/work/1/c93b354fd9c14905bb574a8834c4d69b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/DeleteRoleDefinition-example.json"})
❌ JSON_PARSE	The file is not a valid JSON file. json: [preview/7.2-preview/examples/PutRoleDefinition-example.json"}]({"kind":"structure","code":"unexpected token","position":{"line":14,"column":17},"token":"}","message":"unexpected token, token: }, line: 14, column: 17","url":"/home/vsts/work/1/c93b354fd9c14905bb574a8834c4d69b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/PutRoleDefinition-example.json"})
❌ JSON_PARSE	The file is not a valid JSON file. json: [preview/7.2-preview/examples/PutRoleDefinition-example.json"}]({"kind":"structure","code":"unexpected token","position":{"line":15,"column":13},"token":"]","message":"unexpected token, token: ], line: 15, column: 13","url":"/home/vsts/work/1/c93b354fd9c14905bb574a8834c4d69b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/PutRoleDefinition-example.json"})

️❌ModelValidation: 1 Errors, 0 Warnings failed [Detail]

Rule	Message
❌ Failed to load a reference example file specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/DeleteRoleDefinition-example.json. (Error: Unable to parse swagger, inner error: unexpected token, token: }, line: 21, column: 25)	"role":"Model Validation", "url":"https://github.com/Azure/azure-rest-api-specs/blob/a71f5ccbd75e638b217173a464001737abff66fb/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/rbac.json"

️❌SemanticValidation: 1 Errors, 0 Warnings failed [Detail]

Rule	Message
❌ JSON_PARSING_ERROR	unexpected token, token: }, line: 21, column: 25

️️✔️[Staging] Cross Version BreakingChange (Base on preview version) succeeded [Detail] [Expand]

There are no breaking changes.

️️✔️[Staging] Cross Version BreakingChange (Base on stable version) succeeded [Detail] [Expand]

There are no breaking changes.

️️✔️CredScan succeeded [Detail] [Expand]

There is no credential detected.

_{Posted by Swagger Pipeline | How to fix these errors?}

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[openapi-sdkautomation]

azure-sdk-for-java

No readme.md specification configuration files were found that are associated with the files modified in this pull request, or swagger_to_sdk section in readme.md is not configured

[openapi-sdkautomation]

azure-sdk-for-go

️✔️ succeeded [Logs] [Expand Details]

• ️✔️ Generate from e36f2b73d854a9234f08c0f26f5a74644190d364 with merge commit f0637f35337a470e44628f9c3685665ee41c24f9. SDK Automation 13.0.17.20200918.2
• ️✔️keyvault/2015-06-01 [View full logs]  [Preview SDK Changes]
  • keyvault.2015-06-01.zip
• ️✔️keyvault/2016-10-01 [View full logs]  [Preview SDK Changes]
  • keyvault.2016-10-01.zip
• ️✔️keyvault/v7.0 [View full logs]  [Preview SDK Changes]
  • keyvault.v7.0.zip
• ️✔️keyvault/v7.1 [View full logs]  [Preview SDK Changes]
  • keyvault.v7.1.zip
• ️✔️preview/keyvault/v7.2-preview [View full logs]  [Preview SDK Changes]
  • preview.keyvault.v7.2-preview.zip

[openapi-sdkautomation]

Azure CLI Extension Generation

No readme.md specification configuration files were found that are associated with the files modified in this pull request, or swagger_to_sdk section in readme.md is not configured

[openapi-sdkautomation]

azure-sdk-for-python

No readme.md specification configuration files were found that are associated with the files modified in this pull request, or swagger_to_sdk section in readme.md is not configured

[openapi-sdkautomation]

azure-sdk-for-python-track2

No readme.md specification configuration files were found that are associated with the files modified in this pull request, or swagger_to_sdk section in readme.md is not configured

[openapi-sdkautomation]

azure-sdk-for-js

No readme.md specification configuration files were found that are associated with the files modified in this pull request, or swagger_to_sdk section in readme.md is not configured

[openapi-sdkautomation]

azure-resource-manager-schemas

No readme.md specification configuration files were found that are associated with the files modified in this pull request, or swagger_to_sdk section in readme.md is not configured

[openapi-sdkautomation]

Trenton Generation

No readme.md specification configuration files were found that are associated with the files modified in this pull request, or swagger_to_sdk section in readme.md is not configured

[openapi-sdkautomation]

azure-sdk-for-net

No readme.md specification configuration files were found that are associated with the files modified in this pull request, or swagger_to_sdk section in readme.md is not configured

[lmazuel]

/azurepipelines run

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).

[heaths]

This seems to have replaced custom role assignments (necessary to assign principals to definitions) with custom role definitions when, in fact, custom role definitions should be additive, yes? In that case, you need to add (custom) role assignment CRUD operations back in. I would expect the final form of this PR to be only additions.

[heaths]

Nit: extraneous whitespace.

[heaths]

Question: should an error be expected if someone tries to delete a built-in role definition?

[daviddesberg]

yes

[heaths]

This should return a RoleDefinition.

[heaths]

It seems you deleted all the role assignment CRUD operations. Looking at the file sans diff, I don't see them anywhere. These still need to be supported. I.e., I expect this file to contain only additions for custom role definitions.

[daviddesberg]

unclear to me what happened but it should be fixed now

[openapi-pipeline-app]

Swagger Generation Artifacts

️️✔️ azure-sdk-for-go succeeded [Detail] [Expand]

• ️✔️Succeeded [Logs]Release - Generate from 743069b. SDK Automation 14.0.0

  command	sh ./initScript.sh ../../../../../azure-sdk-for-go_tmp/initInput.json ../../../../../azure-sdk-for-go_tmp/initOutput.json
  command	go run ./tools/generator/main.go ../../../../../azure-sdk-for-go_tmp/generateInput.json ../../../../../azure-sdk-for-go_tmp/generateOutput.json

• ️✔️preview/keyvault/v7.2-preview/keyvault [View full logs]  [Release SDK Changes]
  Only show 24 items here, please refer to log for details.
  

  info	[Changelog]
  info	[Changelog] 1. RoleDefinitionsClient.CreateOrUpdate(context.Context, string, string, string, RoleDefinitionCreateParameters) (RoleDefinition, error)
  info	[Changelog] 1. RoleDefinitionsClient.CreateOrUpdatePreparer(context.Context, string, string, string, RoleDefinitionCreateParameters) (*http.Request, error)
  info	[Changelog] 1. RoleDefinitionsClient.CreateOrUpdateResponder(*http.Response) (RoleDefinition, error)
  info	[Changelog] 1. RoleDefinitionsClient.CreateOrUpdateSender(*http.Request) (*http.Response, error)
  info	[Changelog] 1. RoleDefinitionsClient.Delete(context.Context, string, string, string) (RoleDefinition, error)
  info	[Changelog] 1. RoleDefinitionsClient.DeletePreparer(context.Context, string, string, string) (*http.Request, error)
  info	[Changelog] 1. RoleDefinitionsClient.DeleteResponder(*http.Response) (RoleDefinition, error)
  info	[Changelog] 1. RoleDefinitionsClient.DeleteSender(*http.Request) (*http.Response, error)
  info	[Changelog] 1. RoleDefinitionsClient.Get(context.Context, string, string, string) (RoleDefinition, error)
  info	[Changelog] 1. RoleDefinitionsClient.GetPreparer(context.Context, string, string, string) (*http.Request, error)
  info	[Changelog] 1. RoleDefinitionsClient.GetResponder(*http.Response) (RoleDefinition, error)
  info	[Changelog] 1. RoleDefinitionsClient.GetSender(*http.Request) (*http.Response, error)
  info	[Changelog]
  info	[Changelog] ## Struct Changes
  info	[Changelog]
  info	[Changelog] ### New Structs
  info	[Changelog]
  info	[Changelog] 1. RoleDefinitionCreateParameters
  info	[Changelog]
  info	[Changelog] ### New Struct Fields
  info	[Changelog]
  info	[Changelog] 1. RoleDefinition.autorest.Response
  info	[Changelog]

• ️✔️keyvault/v7.1/keyvault [View full logs]  [Release SDK Changes]

  info	[Changelog] No exported changes

• ️✔️keyvault/v7.0/keyvault [View full logs]  [Release SDK Changes]

  info	[Changelog] No exported changes

• ️✔️keyvault/2016-10-01/keyvault [View full logs]  [Release SDK Changes]

  info	[Changelog] No exported changes

• ️✔️keyvault/2015-06-01/keyvault [View full logs]  [Release SDK Changes]

  info	[Changelog] No exported changes

️️✔️[Staging] ApiDocPreview succeeded [Detail] [Expand]

 Please click here to preview with your @microsoft account. 

_{Posted by Swagger Pipeline | How to fix these errors?}

[openapi-workflow-bot]

NewApiVersionRequired reason:

A service’s API is a contract with customers and is represented by using the api-version query parameter. Changes such as adding an optional property to a request/response or introducing a new operation is a change to the service’s contract and therefore requires a new api-version value. This is critically important for documentation, client libraries, and customer support.

EXAMPLE: if a customer calls a service in the public cloud using api-version=2020-07-27, the new property or operation may exist but if they call the service in a government cloud, air-gapped cloud, or Azure Stack Hub cloud using the same api-version, the property or operation may not exist. Because there is no clear relationship between the service api-version and the new property/operation, customers can’t trust the documentation and Azure customer have difficulty helping customers diagnose issues. In addition, each client library version documents the service version it supports. When an optional property or new operation is added to a service and its Swagger, new client libraries must be produced to expose this functionality to customers. Without updating the api-version, it is unclear to customers which version of a client library supports these new features.

[lmazuel]

Merging, approved by Alex offline