Hello Azure Data Explorer users,
This notification includes information about 3 upcoming changes in Azure Data Explore service. The changes are in:
· `.show EventHub ingestion sources settings` DM command
· The output format of the command `.show principal roles`
· `.show principal roles`
Detailed description
Planned change in `.show EventHub ingestion sources settings` DM command
Change details
Added a flavor "with secrets" that will only populate the secrets for a caller with ingest permissions to the relevant databases. Changes the current implementation that does not show the secrets.
Impacted scenarios
Impacted scenarios perform `.show EventHub ingestion sources settings` command and use the Event Hub connection string or the Event Hub secondary connection string from the results. Running the command returns a connection string to the Event Hub, with secrets included, which is used to enqueue events to the Event Hub.
Note: This change is primarily relevant to customers who have Event Hub connections where the Event Hub resource is managed by Azure Data Explorer.
Required change
- Applications that use this command for getting (decrypted) Event Hub connection strings, in order to enqueue events to Event Hub, should execute the command `.show Event Hub ingestion source settings with secrets`.
- Applications that perform ingestions are required to have database ingestor permissions.
- Best practice: Cache the connection strings and refresh them every few hours.
Schedule & plan
Phase #1: Command change (ETA: September 30, 2019)
Planned change in the output format of the command `.show principal roles`
Change details
The current output of `.show principal roles` and ‘.show principal [principal] roles’ control commands may be misleading. Therefore, the schema of these command results will be modified:
Column name
|
Description
|
Change scope
|
Scope
|
the scope of the role assignment
|
Unchanged
|
DisplayName
|
the display name of the principal for which the operation is performed
|
Change the previous name that contains inconsistent data to PrincipalDisplayName
|
AADObjectID
|
the fully qualified principal name in Azure Data Explorer notation
|
Change the previous name that contains inconsistent data to PrincipalFQN
|
Role
|
the role assignment
|
Unchanged
|
Impacted scenarios
Scenarios that use the control commands, ‘.show principal roles’ and ‘.show principal [principal] roles’ and parse the results.
Required change
Customers that rely on the output of the updated commands, must make changes to accommodate the new schema.
Schedule & plan
Phase #1: Command schema changes (ETA: September 30, 2019)
Planned change in `.show principal roles`
Change details
The `.show principal roles` engine command retrieves all the security roles of the current principal on the cluster. This command is often used by mid-tier applications to determine if a given principal has a specific type of role. For clusters with many entities (databases and tables.), this command needlessly consumes many resources.
To allow callers to reduce the impact of this command on the cluster, the syntax of the command will be modified so that the caller will have to specify the entity for which roles are to be retrieved:
.show <entity type> <entity name> principal roles
Retrieves all roles held by the current principal for the specified entity.
.show <entity type> <entity name> principal <principal identity> roles
Allows the caller to specify the principal whose roles are to be returned, as long as the caller has the right permissions.
The change will be performed in two stages:
1. The new syntax will be added without impacting the existing syntax.
2. The existing syntax will be removed.
Required change
Change automation using the two commands specified above to support the new syntax.
Schedule & plan
Phase #1: The new syntax will be added without impacting the existing syntax (ETA: Done)
Phase #2: The existing syntax will be removed (ETA: October 30, 2019)
