Cosmos DB RBAC - readChangeFeed permission required to read from query FeedIterator
See original GitHub issueDescribe the bug We are currently replacing a broker-style access system in our solution with RBAC, as documented here: https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac
We have created a custom role for a service principal with the following permissions:
"Microsoft.DocumentDB/databaseAccounts/readMetadata",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeQuery"
This is applied at the Cosmos account level. This should enable that principal to perform CRUD and query operations on items within containers, but not create or delete databases or containers, or to read change feeds.
However, we are seeing the following errors when running our solution (guid redacted and container names changed):
"Request is blocked because principal [guid-redacted] does not have the required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed] with OperationType [3] and ResourceType [2] on resource [dbs/mydbname/colls/mycontainer]"
Debugging this locally, this is being triggered by a routine which retrieves pages of data from a specified partition key:
CosmosClient client = await _clientFactory.GetCosmosClientAsync();
Container container = client.GetContainer(_databaseName, _containerName);
QueryRequestOptions options = new QueryRequestOptions
{
PartitionKey = new PartitionKey(partitionKey),
MaxItemCount = pagedRequestOptions.ItemsPerPage
};
IOrderedQueryable<T> queryable = container.GetItemLinqQueryable<T>(continuationToken: pagedRequestOptions.ContinuationToken, requestOptions: options);
using (FeedIterator<T> iterator = queryable.ToFeedIterator())
{
if (iterator.HasMoreResults)
{
FeedResponse<T> response = await iterator.ReadNextAsync();
// Build response with data and continuation token
}
else
{
//Build empty response
}
}
Specifically, the error is thrown on the call to iterator.ReadNextAsync()
. This is thrown on the first run, when continuationToken
is still null.
I can add these permissions as a workaround, but this looks like a bug.
To Reproduce
- Create a Role with the ability to run queries and read items, but not read change feeds.
- Assign this to a Service Principal.
- As that Service Principal, create a FeedIterator to read all items in a partition. It should fail on a call to
iterator.ReadNextAsync()
Expected behavior I would expect the query to execute successfully with the specified set of permissions, rather than requiring readChangeFeed.
Actual behavior Operation fails due to lack of readChangeFeed permissions.
Environment summary SDK Version: 3.23.0, .NET 3.1 latest OS Version: Windows 10 20H2, also Windows Functions in Azure
Additional context N/A
Issue Analytics
- State:
- Created 2 years ago
- Comments:9 (6 by maintainers)
Top GitHub Comments
I updated the RBAC documentation to reflect that executing queries through the SDK requires both
executeQuery
andreadChangeFeed
permissions.You are correct. We will probably need to update the SDK comments to specify it’s doing a read feed to avoid confusion in the future.
Read all items in 1.3 is doing a read feed and requires the
readChangeFeed
permission. This is required because both read feed and change feed use the same endpoint unfortunately.The query in 1.4 requires the
executeQuery
permission.