Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Cosmos DB RBAC - readChangeFeed permission required to read from query FeedIterator
See original GitHub issueDescribe the bug We are currently replacing a broker-style access system in our solution with RBAC, as documented here: https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac
We have created a custom role for a service principal with the following permissions:
"Microsoft.DocumentDB/databaseAccounts/readMetadata",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeQuery"
This is applied at the Cosmos account level. This should enable that principal to perform CRUD and query operations on items within containers, but not create or delete databases or containers, or to read change feeds.
However, we are seeing the following errors when running our solution (guid redacted and container names changed):
"Request is blocked because principal [guid-redacted] does not have the required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed] with OperationType [3] and ResourceType [2] on resource [dbs/mydbname/colls/mycontainer]"
Debugging this locally, this is being triggered by a routine which retrieves pages of data from a specified partition key:
CosmosClient client = await _clientFactory.GetCosmosClientAsync();
Container container = client.GetContainer(_databaseName, _containerName);
QueryRequestOptions options = new QueryRequestOptions
{
PartitionKey = new PartitionKey(partitionKey),
MaxItemCount = pagedRequestOptions.ItemsPerPage
};
IOrderedQueryable<T> queryable = container.GetItemLinqQueryable<T>(continuationToken: pagedRequestOptions.ContinuationToken, requestOptions: options);
using (FeedIterator<T> iterator = queryable.ToFeedIterator())
{
if (iterator.HasMoreResults)
{
FeedResponse<T> response = await iterator.ReadNextAsync();
// Build response with data and continuation token
}
else
{
//Build empty response
}
}
Specifically, the error is thrown on the call to iterator.ReadNextAsync(). This is thrown on the first run, when continuationToken is still null.
I can add these permissions as a workaround, but this looks like a bug.
To Reproduce
- Create a Role with the ability to run queries and read items, but not read change feeds.
- Assign this to a Service Principal.
- As that Service Principal, create a FeedIterator to read all items in a partition. It should fail on a call to
iterator.ReadNextAsync()
Expected behavior I would expect the query to execute successfully with the specified set of permissions, rather than requiring readChangeFeed.
Actual behavior Operation fails due to lack of readChangeFeed permissions.
Environment summary SDK Version: 3.23.0, .NET 3.1 latest OS Version: Windows 10 20H2, also Windows Functions in Azure
Additional context N/A
Issue Analytics
- State:
- Created 2 years ago
- Comments:9 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I updated the RBAC documentation to reflect that executing queries through the SDK requires both
executeQueryandreadChangeFeedpermissions.You are correct. We will probably need to update the SDK comments to specify it’s doing a read feed to avoid confusion in the future.
Read all items in 1.3 is doing a read feed and requires the
readChangeFeedpermission. This is required because both read feed and change feed use the same endpoint unfortunately.The query in 1.4 requires the
executeQuerypermission.