Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

az role assignment delete command is an insane footgun #13577

Open
dharmab opened this issue May 19, 2020 · 14 comments · May be fixed by #30470
Open

az role assignment delete command is an insane footgun #13577

dharmab opened this issue May 19, 2020 · 14 comments · May be fixed by #30470
Assignees
@jiasli
Labels
Breaking Change Discussion Feature Candidate feature-request Graph az ad RBAC az role
Milestone
Backlog

Comments

@dharmab
Copy link

dharmab commented May 19, 2020

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug

If you type az role assignment delete with no arguments, the Azure CLI offers to delete every role assignment in your subscription. This is insane.

To Reproduce

  1. Make sure your cat/child/fingers are as far away from the keyboard as possible
  2. Type az role assignment delete with no arguments
  3. Throw your computer into the ocean

Expected behavior

Literally anything else

Environment summary

Homebrew

$ az --version
azure-cli                          2.2.0 *

command-modules-nspkg              2.0.3
core                               2.2.0 *
nspkg                              3.0.4
telemetry                          1.0.4

Python location '/Users/bellamko/git/k8s-infrastructure/.direnv/python-3.8.2/bin/python3'
Extensions directory '/Users/bellamko/.azure/cliextensions'

Python (Darwin) 3.8.2 (default, Mar 11 2020, 00:29:50)
[Clang 11.0.0 (clang-1100.0.33.17)]

Additional context

This reminds me of how az vmss delete-instances used to offer to delete every single one of your VMs if you didn't pass in --instance-ids. Now it just raises an error, which is sane behavior.
@ghost ghost added needs-triage This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels May 19, 2020
@yungezz yungezz added RBAC az role and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels May 19, 2020
@ghost ghost removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label May 19, 2020
@yungezz
Copy link
Member

yungezz commented May 19, 2020

hi @houk-ms can you pls have a look? @arrownj fixed a simliar issue before, you can talk with him for context.

@yonzhan yonzhan added this to the S171 milestone May 20, 2020
@houk-ms
Copy link
Contributor

houk-ms commented May 20, 2020

@dharmab Thanks for the feedbacks! Actually, this is a behavior as expected, which provides users a way to delete all the role assignments in a subscription.
And, before taking any actions, AzureCLI will prompt the message This will delete all role assignments under the subscription. Are you sure? as a reminder.

@yungezz I personally recommend we add an example in the doc to describe the usage rather than change the command itself which may block the users that are already using this way to delete all their role assignments.

@dharmab
Copy link
Author

dharmab commented May 20, 2020

which provides users a way to delete all the role assignments in a subscription.

Why is this something a user would ever want to do? And why is it the default if no arguments are passed? That's like if you typed rm and the default was This will delete all files under the current directory. Are you sure?

@Starblade42
Copy link

Whether or not someone would want to delete all of their role assignments in a subscription is not necessarily at issue.

The problem is that this is absolutely the wrong way to offer that feature. Something so destructive should require additional arguments!

Prompting the user for confirmation when they enter az role assignment delete is not sufficient to correctly ascertain that someone positivitely wants to utterly wipe their subscription.

@yungezz
Copy link
Member

yungezz commented May 21, 2020

hi @dharmab thanks for raise the issue. I see the concern. Actually that's the reason cli prompt for a confirmation for delete all. We'll look at customer scenario again to validate this.

@yungezz yungezz modified the milestones: S171, Backlog Aug 3, 2020
@Catramen
Copy link

I accidentally did this:

az role assignment create --assignee "$SOME_VAR" --role "Owner"

SOME_VAR was accidentally set to empty string. I did not get any prompt and EVERY OWNER WAS DELETED.I lost access to my subscription. Cannot even file a support ticket cause I lost permissions.
Is there a way to fix this?

@Catramen
Copy link

Forget to mention:
azure-cli 2.7.0 *

core 2.7.0 *
telemetry 1.0.4 *

@dharmab
Copy link
Author

dharmab commented Sep 23, 2020

@Catramen I'm so sorry. I'm not a MSFT employee but I'll forward your comment to my TAM and hopefully they can help route it.

@jiasli
Copy link
Member

jiasli commented Sep 24, 2020
edited
Loading

This issue was previously reported in #2933 and the prompt for "delete all" was added in #8862.

The logic is to search for all assignments and delete them all:

    assignments = _search_role_assignments(cmd.cli_ctx, assignments_client, definitions_client,
                                           scope, assignee, role, include_inherited,
                                           include_groups=False)

    if assignments:
        for a in assignments:
            assignments_client.delete_by_id(a.id)

I agree this behavior is insane and should be changed even though it is a breaking change.

If you have already deleted all role assignments, and luckily you are a Global Administrator in AAD tenant, there is a chance to recover it: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

@yungezz yungezz mentioned this issue Sep 24, 2020
Closed
@yungezz yungezz assigned jiasli and unassigned houk-ms Sep 24, 2020
@yungezz
Copy link
Member

yungezz commented Sep 24, 2020

#15278

@yungezz
Copy link
Member

yungezz commented Sep 24, 2020

I accidentally did this:

az role assignment create --assignee "$SOME_VAR" --role "Owner"

SOME_VAR was accidentally set to empty string. I did not get any prompt and EVERY OWNER WAS DELETED.I lost access to my subscription. Cannot even file a support ticket cause I lost permissions.
Is there a way to fix this?

This specific issue is tracked in #15278. We'll fix it to throw error when --assignee is empty string in az role assignment delete.

Today az role assignment delete behavior isn't that consistent on when to promoting, when to delete all. Let's use this issue to track refine work on role assignment delete behavior. Worth to check policy assignment delete also. Reassign to @jiasli .

@yungezz yungezz mentioned this issue Sep 24, 2020
Merged
@yonzhan yonzhan modified the milestones: Backlog, S176 Sep 24, 2020
@jiasli jiasli mentioned this issue Sep 24, 2020
Closed
2 tasks
@yonzhan yonzhan modified the milestones: S185, S186 Apr 6, 2021
@yonzhan yonzhan modified the milestones: S186, S187 Apr 24, 2021
@yonzhan yonzhan modified the milestones: S187, S188 May 19, 2021
@yonzhan yonzhan modified the milestones: S188, S189 Jun 12, 2021
@yonzhan yonzhan modified the milestones: S189, Jul 2021 (2021-08-03) Jul 2, 2021
@jiasli jiasli modified the milestones: Jul 2021 (2021-08-03), Backlog Jul 8, 2021
@jiasli jiasli added Feature Candidate Graph az ad and removed customer-reported Issues that are reported by GitHub users external to the Azure organization. labels Dec 22, 2021
@jiasli jiasli modified the milestones: Backlog, Jan 2022 (2022-02-01) Dec 22, 2021
@jiasli jiasli added Microsoft Graph and removed Graph az ad labels Dec 23, 2021
@jiasli jiasli added Graph az ad and removed Microsoft Graph labels May 26, 2022
@evanfoster
Copy link

evanfoster commented Mar 14, 2024
edited by jiasli
Loading

Was this ever fixed?

EDIT: Ah, it was (at least partially) fixed in PR #15282.

EDIT: This is still a hideously dangerous footgun. az role assignment delete should do nothing and return a 1 to the shell, indicating an error. It should never, ever ask to delete everything. If someone wants to delete everything, that should be a separate command or something. All PR #15282 did was to make this safe to use in a scripted fashion. Interactive users who don't pass any command line args after delete are still at risk.

This was referenced Dec 5, 2024
Open
Open
@jiasli
Copy link
Member

jiasli commented Dec 5, 2024

I have created PR #30470 to remove the "delete all role assignments under the subscription by default" behavior. At least one of --ids, --assignee, --role, --resource-group, --scope must be provided. If none is provided, az role assignment delete will show an error.

I also proposed a more aggressive solution: make --scope a required argument for az role assignment delete (#30471).

@dharmab, @Starblade42, @Catramen, @evanfoster, please kindly share your thoughts or suggestions.

@bebound bebound mentioned this issue Dec 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Breaking Change Discussion Feature Candidate feature-request Graph az ad RBAC az role
Projects
None yet
Milestone
Backlog