follower perms

Author: yaananth

KustoSchemaTools.Tests/Changes/FollowerPermissionChangeTests.cs

@@ -0,0 +1,92 @@
+using KustoSchemaTools.Changes;
+using KustoSchemaTools.Model;
+using Microsoft.Extensions.Logging;
+using Moq;
+
+namespace KustoSchemaTools.Tests.Changes
+{
+    public class FollowerPermissionChangeTests
+    {
+        private readonly Mock<ILogger> _logger = new();
+
+        private static FollowerDatabase BuildFollower(params (string role, string id, string name)[] principals)
+        {
+            var follower = new FollowerDatabase
+            {
+                DatabaseName = "DDoSNeuralAnalysis",
+                Permissions = new FollowerPermissions { ModificationKind = FollowerModificationKind.Union }
+            };
+
+            foreach (var (role, id, name) in principals)
+            {
+                var obj = new AADObject { Id = id, Name = name };
+                if (string.Equals(role, "admin", StringComparison.OrdinalIgnoreCase))
+                {
+                    follower.Permissions.Admins.Add(obj);
+                }
+                else
+                {
+                    follower.Permissions.Viewers.Add(obj);
+                }
+            }
+
+            return follower;
+        }
+
+        [Fact]
+        public void GeneratesFollowerSetCommand_WithLeaderName()
+        {
+            var oldFollower = BuildFollower();
+            var newFollower = BuildFollower(("viewer", "aadapp=64decea3-723a-4fbf-b2ec-9faaf852cfdc;398a6654-997b-47e9-b12b-9515b896b4de", "spn-dev-spam-slam"));
+            newFollower.Permissions.LeaderName = "leader-cluster";
+
+            var changes = DatabaseChanges.GenerateFollowerChanges(oldFollower, newFollower, _logger.Object);
+
+            var permChange = Assert.Single(changes.OfType<FollowerPermissionChange>());
+            var script = Assert.Single(permChange.Scripts).Script!.Text;
+
+            Assert.Equal(".set follower database DDoSNeuralAnalysis viewers (\"aadapp=64decea3-723a-4fbf-b2ec-9faaf852cfdc;398a6654-997b-47e9-b12b-9515b896b4de\") 'leader-cluster'", script);
+            Assert.DoesNotContain(".set database", script);
+        }
+
+        [Fact]
+        public void GeneratesFollowerSetCommand_WithoutLeaderName()
+        {
+            var oldFollower = BuildFollower();
+            var newFollower = BuildFollower(("admin", "aaduser=foo;tenant", "Foo"));
+
+            var changes = DatabaseChanges.GenerateFollowerChanges(oldFollower, newFollower, _logger.Object);
+
+            var permChange = Assert.Single(changes.OfType<FollowerPermissionChange>());
+            var script = Assert.Single(permChange.Scripts).Script!.Text;
+
+            Assert.Equal(".set follower database DDoSNeuralAnalysis admins (\"aaduser=foo;tenant\")", script);
+            Assert.DoesNotContain("leader", script, StringComparison.OrdinalIgnoreCase);
+        }
+
+        [Fact]
+        public void NoChange_WhenPrincipalsUnchanged()
+        {
+            var oldFollower = BuildFollower(("viewer", "aadapp=1;tenant", "v1"));
+            var newFollower = BuildFollower(("viewer", "aadapp=1;tenant", "v1"));
+
+            var changes = DatabaseChanges.GenerateFollowerChanges(oldFollower, newFollower, _logger.Object);
+
+            Assert.Empty(changes.OfType<FollowerPermissionChange>());
+        }
+
+        [Fact]
+        public void EmitsNoneWithoutParens_WhenClearingPrincipals()
+        {
+            var oldFollower = BuildFollower(("admin", "aadapp=1;tenant", "v1"));
+            var newFollower = BuildFollower();
+
+            var changes = DatabaseChanges.GenerateFollowerChanges(oldFollower, newFollower, _logger.Object);
+
+            var permChange = Assert.Single(changes.OfType<FollowerPermissionChange>());
+            var script = Assert.Single(permChange.Scripts).Script!.Text;
+
+            Assert.Equal(".set follower database DDoSNeuralAnalysis admins none", script);
+        }
+    }
+}

KustoSchemaTools/Changes/DatabaseChanges.cs

@@ -217,21 +217,25 @@ private static List<IChange> GenerateScriptCompareChanges<T>(Database oldState,
 
         public static List<IChange> GenerateFollowerChanges(FollowerDatabase oldState, FollowerDatabase newState, ILogger log)
         {
-            List<IChange> result =
-            [
-                .. GenerateFollowerCachingChanges(oldState, newState, db => db.Tables, "Table", "table"),
-                .. GenerateFollowerCachingChanges(oldState, newState, db => db.MaterializedViews, "MV", "materialized-view"),
-
-            ];
+            var result = new List<IChange>();
 
+            // Ensure principals-modification-kind is applied before any permission updates
+            // by adding it first (earlier in the ordered script list).
             if (oldState.Permissions.ModificationKind != newState.Permissions.ModificationKind)
             {
                 var kind = newState.Permissions.ModificationKind.ToString().ToLower();
                 result.Add(new BasicChange("FollowerDatabase", "PermissionsModificationKind", $" Change Permission-Modification-Kind from {oldState.Permissions.ModificationKind} to {newState.Permissions.ModificationKind}", new List<DatabaseScriptContainer>
                 {
-                    new DatabaseScriptContainer(new DatabaseScript($".alter follower database {newState.DatabaseName.BracketIfIdentifier()} principals-modification-kind = {kind}", 0), "FollowerChangePolicyModificationKind")
+                    new DatabaseScriptContainer(new DatabaseScript($".alter follower database {newState.DatabaseName.BracketIfIdentifier()} principals-modification-kind = {kind}", -10), "FollowerChangePolicyModificationKind")
                 }));
             }
+
+            result.AddRange(GenerateFollowerCachingChanges(oldState, newState, db => db.Tables, "Table", "table"));
+            result.AddRange(GenerateFollowerCachingChanges(oldState, newState, db => db.MaterializedViews, "MV", "materialized-view"));
+
+            // Permission changes (order defaults to 0) now follow the modification-kind change above.
+            result.AddRange(GenerateFollowerPermissionChanges(oldState, newState, log));
+
             if (oldState.Cache.ModificationKind != newState.Cache.ModificationKind)
             {
                 var kind = newState.Cache.ModificationKind.ToString().ToLower();
@@ -332,6 +336,26 @@ private static List<IChange> GenerateFollowerCachingChanges(FollowerDatabase old
 
             return result;
         }
+
+        private static IEnumerable<IChange> GenerateFollowerPermissionChanges(FollowerDatabase oldState, FollowerDatabase newState, ILogger log)
+        {
+            var changes = new List<IChange>();
+
+            var permissionChanges = new List<IChange>
+            {
+                new FollowerPermissionChange(newState.DatabaseName, "Admins", oldState.Permissions.Admins, newState.Permissions.Admins, newState.Permissions.LeaderName, oldState.Permissions.LeaderName),
+                new FollowerPermissionChange(newState.DatabaseName, "Viewers", oldState.Permissions.Viewers, newState.Permissions.Viewers, newState.Permissions.LeaderName, oldState.Permissions.LeaderName)
+            }.Where(itm => itm.Scripts.Any()).ToList();
+
+            if (permissionChanges.Any())
+            {
+                log.LogInformation($"Detected {permissionChanges.Count} follower permission changes");
+                permissionChanges.Insert(0, new Heading("Permissions (Follower)"));
+            }
+
+            changes.AddRange(permissionChanges);
+            return changes;
+        }
     }
 
 }

KustoSchemaTools/Changes/FollowerPermissionChange.cs

@@ -0,0 +1,95 @@
+using Kusto.Language;
+using KustoSchemaTools.Model;
+using KustoSchemaTools.Parser;
+using System.Text;
+
+namespace KustoSchemaTools.Changes
+{
+    /// <summary>
+    /// Permission diff for follower databases. Uses follower-specific commands so
+    /// we don't attempt to write directly to the read-only follower database.
+    /// </summary>
+    public class FollowerPermissionChange : BaseChange<List<AADObject>>
+    {
+        public FollowerPermissionChange(string db, string entity, List<AADObject> from, List<AADObject> to, string? leaderName, string? currentLeaderName)
+            : base("FollowerPermissions", entity, from ?? new List<AADObject>(), to)
+        {
+            Db = db;
+            LeaderName = leaderName;
+            CurrentLeaderName = currentLeaderName;
+            Init();
+        }
+
+        public string Db { get; }
+        public string? LeaderName { get; }
+        public string? CurrentLeaderName { get; }
+
+        private string BuildCommand(List<AADObject> principals, string? leaderName)
+        {
+            // Order-insensitive: sort by Id so equivalent sets don't emit churn
+            var ids = principals
+                .OrderBy(p => p.Id, StringComparer.OrdinalIgnoreCase)
+                .Select(a => "\"" + a.Id + "\""
+                );
+
+            // Kusto control commands expect the literal keyword 'none' when no principals
+            // are supplied. Wrapping none in parentheses makes it a principal named "none"
+            // and the command is rejected, so only use parentheses for non-empty sets.
+            var idsFragment = ids.Any() ? $"({string.Join(",", ids)})" : "none";
+
+            // Leader name is optional; when provided we append it the same way the
+            // portal does (e.g. '.add follower database DB viewers (...) "leader"').
+            var leaderSuffix = string.IsNullOrWhiteSpace(leaderName) ? string.Empty : $" '{leaderName}'";
+
+            return $".set follower database {Db.BracketIfIdentifier()} {Entity.ToLower()} {idsFragment}{leaderSuffix}";
+        }
+
+        private void Init()
+        {
+            var targetCmd = BuildCommand(To, LeaderName);
+            var currentCmd = BuildCommand(From, CurrentLeaderName);
+
+            if (!string.Equals(targetCmd, currentCmd, StringComparison.Ordinal))
+            {
+                var script = new DatabaseScript { Text = targetCmd, Order = 0 };
+                var container = new DatabaseScriptContainer(script, "FollowerPermissionChange");
+                var code = KustoCode.Parse(script.Text);
+                container.IsValid = !code.GetDiagnostics().Any();
+                Scripts.Add(container);
+            }
+
+            var added = To.Where(itm => From.All(t => t.Id != itm.Id)).ToList();
+            var removed = From.Where(itm => To.All(t => t.Id != itm.Id)).ToList();
+            var changed = From.Join(To, f => f.Id, t => t.Id, (f, t) => new { f, t })
+                              .Where(x => x.f.Name != x.t.Name)
+                              .ToList();
+
+            var sb = new StringBuilder();
+            sb.AppendLine($"## {Entity} (Follower)");
+            sb.AppendLine();
+            sb.AppendLine("<table>");
+            sb.AppendLine("<tr></tr>");
+
+            if (added.Any())
+            {
+                sb.AppendLine("<tr><td colspan=\"2\">Added:</td><td colspan=\"10\">" + string.Join("<br>", added.Select(t => $"{t.Name} ({t.Id})")) + "</td></tr>");
+            }
+            if (removed.Any())
+            {
+                sb.AppendLine("<tr><td colspan=\"2\">Removed:</td><td colspan=\"10\">" + string.Join("<br>", removed.Select(t => $"{t.Name} ({t.Id})")) + "</td></tr>");
+            }
+            if (changed.Any())
+            {
+                Scripts.Add(new DatabaseScriptContainer("FollowerPermissionRenamed", -1, "// No Database Change"));
+                sb.AppendLine("<tr><td colspan=\"2\">Changed:</td><td colspan=\"10\">" + string.Join("<br>", changed.Select(t => $"{t.f.Name} => {t.t.Name} ({t.t.Id})")) + "</td></tr>");
+            }
+
+            var logo = Scripts.Any() && Scripts.First().IsValid == false ? ":red_circle:" : ":green_circle:";
+            var displayCmd = Scripts.FirstOrDefault()?.Script?.Text ?? currentCmd;
+            sb.AppendLine($"<tr><td colspan=\"2\">{logo}</td><td colspan=\"10\"><pre lang=\"kql\">{displayCmd.PrettifyKql()}</pre></td></tr>");
+            sb.AppendLine("</table>");
+
+            Markdown = sb.ToString();
+        }
+    }
+}

KustoSchemaTools/Model/FollowerDatabase.cs

@@ -6,6 +6,9 @@ public class FollowerDatabase
         public FollowerCache Cache { get; set; } = new FollowerCache();
         // TODO: No logic to load data / roll out changes implemented yet!
         public FollowerPermissions Permissions { get; set; } = new FollowerPermissions();
+
+        // Populated when available from follower metadata (e.g., Data Share followers)
+        public string? LeaderClusterMetadataPath { get; set; }
     }
 
 }

KustoSchemaTools/Model/FollowerPermissions.cs

@@ -5,6 +5,14 @@ public class FollowerPermissions
         public FollowerModificationKind ModificationKind { get; set; }
         public List<AADObject> Viewers { get; set; } = new List<AADObject>();
         public List<AADObject> Admins { get; set; } = new List<AADObject>();
+
+        /// <summary>
+        /// Optional leader/follower name as known to the cluster. Some follower commands
+        /// (e.g. .add follower database ... ) allow/require the leader name. We keep it
+        /// here in case future YAML/metadata provides it. Not currently required for
+        /// .set follower database operations.
+        /// </summary>
+        public string? LeaderName { get; set; }
     }
 
 }

KustoSchemaTools/Parser/KustoLoader/FollowerLoader.cs

@@ -1,4 +1,5 @@
 using KustoSchemaTools.Model;
+using KustoSchemaTools.Parser;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
 using System;
@@ -21,15 +22,24 @@ public class FollowerLoader
         | where isnotempty(Timespan)
         | limit 1
     )
-| summarize CachingPolicies=make_bag(bag_pack(Table,Timespan))
-)
-";
+| summarize CachingPolicies=make_bag(bag_pack(Table,Timespan)),
+            DatabaseName=any(DatabaseName),
+            LeaderClusterMetadataPath=any(LeaderClusterMetadataPath),
+            CachingPolicyOverride=any(CachingPolicyOverride),
+            AuthorizedPrincipalsOverride=any(AuthorizedPrincipalsOverride),
+            AuthorizedPrincipalsModificationKind=any(AuthorizedPrincipalsModificationKind),
+            CachingPoliciesModificationKind=any(CachingPoliciesModificationKind),
+            ChildEntities=any(ChildEntities),
+            OriginalDatabaseName=any(OriginalDatabaseName),
+            IsAutoPrefetchEnabled=any(IsAutoPrefetchEnabled),
+            LeaderName=any(LeaderName)
+)";
 
         public static FollowerDatabase LoadFollower(string databaseName, KustoClient client)
         {
             var follower = new FollowerDatabase { DatabaseName = databaseName };
             // Execute the query and handle the case where no rows are returned (e.g., database is not a follower)
-            var queryResult = client.Client.ExecuteQuery(string.Format(FollowerMetadataQuery, databaseName));
+            var queryResult = client.Client.ExecuteQuery(string.Format(FollowerMetadataQuery, databaseName.BracketIfIdentifier()));
             var metdaData = queryResult.As<FollowerMetadata>().FirstOrDefault();
 
             if (metdaData == null)
@@ -73,6 +83,53 @@ public static FollowerDatabase LoadFollower(string databaseName, KustoClient cli
                 target.Add(key, kvp.Value.Days+"d");
             }
 
+            follower.Permissions.LeaderName = metdaData.LeaderName;
+            follower.LeaderClusterMetadataPath = metdaData.LeaderClusterMetadataPath;
+
+            // Parse principals override so we can diff/emit follower permission changes
+            if (!string.IsNullOrWhiteSpace(metdaData.AuthorizedPrincipalsOverride))
+            {
+                try
+                {
+                    var arr = JArray.Parse(metdaData.AuthorizedPrincipalsOverride);
+                    foreach (var principalObj in arr)
+                    {
+                        var role = principalObj["Role"]?.Value<int?>();
+                        var principal = principalObj["Principal"]?["FullyQualifiedName"]?.Value<string>()
+                                        ?? principalObj["Principal"]?["Id"]?.Value<string>();
+                        var displayName = principalObj["Principal"]?["DisplayName"]?.Value<string>()
+                                         ?? principal;
+
+                        if (string.IsNullOrWhiteSpace(principal) || role == null)
+                        {
+                            continue;
+                        }
+
+                        var aadObj = new AADObject
+                        {
+                            Id = principal,
+                            Name = displayName
+                        };
+
+                        // Role mapping per Kusto: 0=Admin,1=User,2=Viewer. We only
+                        // support Admin/Viewer for followers today.
+                        if (role == 0)
+                        {
+                            follower.Permissions.Admins.Add(aadObj);
+                        }
+                        else if (role == 2)
+                        {
+                            follower.Permissions.Viewers.Add(aadObj);
+                        }
+                    }
+                }
+                catch (Exception)
+                {
+                    // Ignore parse errors; permissions will be treated as empty and
+                    // no changes will be generated.
+                }
+            }
+
             return follower;
         }
     }
@@ -81,6 +138,7 @@ public class FollowerMetadata
     {        
         public string? DatabaseName { get; set; }
         public string? LeaderClusterMetadataPath { get; set; }
+        public string? LeaderName { get; set; }
         public string? CachingPolicyOverride { get; set; }
         public string? AuthorizedPrincipalsOverride { get; set; }
         public string? AuthorizedPrincipalsModificationKind { get; set; }