BatchExplorer icon indicating copy to clipboard operation
BatchExplorer copied to clipboard

Published 20 hours ago verified publisher icon Azure

Custom role for Batch account is not interpreted by Batch explorer correctly.

Open lijun1234 opened this issue 5 years ago • 1 comments

Describe the bug A customized role is created to only allow job/task creation in azure batch account. A test user with this customized role can create job/task and submit task to batch node by using azure portal application or azure login from web browser but not by using batch explorer. The batch explorer shows add button greyed out with notification "Add a job (You don't have permission to perform this action)

To Reproduce Steps to reproduce the behavior:

  1. Create custom role with permission below and assign this role to test user. { "Name": "Batch job role", "IsCustom": true, "Description": "View, create and view batch jobs.", "Actions": [ "Microsoft.Batch/batchAccounts/write" ], "NotActions": [], "DataActions": [ "Microsoft.Batch/batchAccounts/jobs/", "Microsoft.Batch/batchAccounts/jobSchedules/" ], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" ] }

  2. login azure portal application or azure website as test user account. Go to batch account/jobs and verify test user account can create job. This is to prove the custom role is setup properly and issue is not from custom role side.

  3. Login batch explorer as test user account. Go to batch accounts/jobs the add button greyed out.

Expected behavior Batch explorer application should allow test account to create job/task as azure portal application and azure online.

Screenshots 2 screenshots attached. One is good scenario from azure portal. The other is issue noticed under batch explorer. job can be added under azure portal issue under batch explorer

Logs(Click profile > View Logs > app.log, client.log) N.A.

Version (please complete the following information):

  • OS: [Windows]
  • Version [1803]

lijun1234 avatar Sep 08 '19 20:09 lijun1234

Thank you for reporting this difference. Currently BatchExplorer only supports actions and notActions permissions (does not parse DataActions), which is why it is showing as without permissions.

Edit: Fix understatement of what is supported

bgklein avatar Sep 09 '19 17:09 bgklein

This isn't just a matter of dataActions, though that is also true. Custom actions like "Microsoft.Batch/batchAccounts/pools/write" aren't properly checked. Submitted a PR to disable this client-side checking until it can be made more robust to handle custom roles.

dpwatrous avatar Aug 26 '22 20:08 dpwatrous