· The output format of the command `.show principal roles`
· `.show principal roles`
Planned change in `.show EventHub ingestion sources settings` DM command
Added a flavor "with secrets" that will only populate the secrets for a caller with ingest permissions to the relevant databases. Changes the current implementation that does not show the secrets.
Impacted scenarios perform `.show EventHub ingestion sources settings` command and use the Event Hub connection string or the Event Hub secondary connection string from the results. Running the command returns a connection string to the Event Hub, with secrets included, which is used to enqueue events to the Event Hub.
Note: This change is primarily relevant to customers who have Event Hub connections where the Event Hub resource is managed by Azure Data Explorer.
Applications that use this command for getting (decrypted) Event Hub connection strings, in order to enqueue events to Event Hub, should execute the command `.show Event Hub ingestion source settings with secrets`.
Applications that perform ingestions are required to have database ingestor permissions.
Best practice: Cache the connection strings and refresh them every few hours.
Schedule & plan
Phase #1: Command change (ETA: September 30, 2019)
Planned change in the output format of the command `.show principal roles`
The current output of `.show principal roles` and ‘.show principal [principal] roles’ control commands may be misleading. Therefore, the schema of these command results will be modified:
the scope of the role assignment
the display name of the principal for which the operation is performed
Change the previous name that contains inconsistent data to PrincipalDisplayName
the fully qualified principal name in Azure Data Explorer notation
Change the previous name that contains inconsistent data to PrincipalFQN
the role assignment
Scenarios that use the control commands, ‘.show principal roles’ and ‘.show principal [principal] roles’ and parse the results.
Customers that rely on the output of the updated commands, must make changes to accommodate the new schema.
Schedule & plan
Phase #1: Command schema changes (ETA: September 30, 2019)
Planned change in `.show principal roles`
The `.show principal roles` engine command retrieves all the security roles of the current principal on the cluster. This command is often used by mid-tier applications to determine if agiven principal has a specific type of role. For clusters with many entities (databases and tables.), this command needlessly consumes many resources.
To allow callers to reduce the impact of this command on the cluster, the syntax of the command will be modified so that the caller will have to specify the entity for which roles are to be retrieved:
.show <entity type> <entity name> principal roles Retrieves all roles held by the current principal for the specified entity.
.show <entity type> <entity name> principal <principal identity> roles
Allows the caller to specify the principal whose roles are to be returned, as long as the caller has the right permissions.
The change will be performed in two stages:
1. The new syntax will be added without impacting the existing syntax.
2. The existing syntax will be removed.
Change automation using the two commands specified above to support the new syntax.
Schedule & plan
Phase #1: The new syntax will be added without impacting the existing syntax (ETA: Done)
Phase #2: The existing syntax will be removed (ETA: October 30, 2019)