Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

Cloudbreak on Azure authorization error: client does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope

Labels:
avatar
author-rank awoolford
Expert Contributor

Created ‎03-16-2017 05:12 AM

I'm trying to get Cloudbreak to deploy a cluster on Azure. The first step is to create a set of Azure credentials in Cloudbreak. To do this, it's necessary to create a resource group, storage account, application, and application service principal:

# create a resource group in the West US region
azure group create woolford "westus"

# create a storage account in that resource group
azure resource create woolford woolfordstorage "Microsoft.Storage/storageAccounts" "westus" -o "2015-06-15" -p "{\"accountType\": \"Standard_LRS\"}"

# create an application and service principal
azure ad sp create -n awoolford -p Password123
#  info:    Executing command ad sp create
#  + Creating application awoolford                                              
#  + Creating service principal for application 2a105e3d-f330-4a6f-b5e3-57de672e91c1
#  data:    Object Id:               d14aa306-9d7c-41a5-809b-c27f86167ad5
#  data:    Display Name:            awoolford
#  data:    Service Principal Names:
#  data:                             2a105e3d-f330-4a6f-b5e3-57de672e91c1
#  data:                             http://awoolford
#  info:    ad sp create command OK

Once this is done, I collected all the ID's required by Cloudbreak and created a set of credentials in the Cloudbreak UI:

# get the subscription ID
azure account list
#  info:    Executing command account list
#  data:    Name           Id                                    Current  State  
#  data:    -------------  ------------------------------------  -------  --------
#  data:    SE             ********-****-****-****-*********797  true     Enabled 

# get the app owner tenant ID
azure account show --json | jq -r '.[0].tenantId'
#  b60c9401-2154-40aa-9cff-5e3d1a20085d

# get the storage account key
azure storage account keys list woolfordstorage --resource-group woolford
#  info:    Executing command storage account keys list
#  + Getting storage account keys                                                
#  data:    Name  Key                                                                                       Permissions
#  data:    ----  ----------------------------------------------------------------------------------------  -----------
#  data:    key1  a9jeK3iRSgHlGlgiM4HTCVnKPpgt7srFz+WE8bGz7tiUuTfVSjl8jRR/CuA+tQ6yiaNBtkTv3E5yGBsMW1H4Cg==  Full      
#  data:    key2  ozhjirLlt3pp96lLtrPzaNziPQtfJ0QGiG+ETL9uJgQnM+vrMU/qhzVUa5fhdZ8xa6xItSH/NiImL45zir7KwA==  Full      
#  info:    storage account keys list command OK

When I try to launch the cluster in Cloudbreak an error is thrown:

Cluster Status
{error={code=AuthorizationFailed, message=The client 'bbd3275e-34ba-4614-94a7-4ed09cc0f3aa' with object id 'bbd3275e-34ba-4614-94a7-4ed09cc0f3aa' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/7d204bd6-841e-43fb-8638-c5eedf2ea797/resourcegroups/woolford-cloudbreak18'.}}

It seems that there's a permissions issue in Azure and I'm not sure how to resolve it. Can you see what I'm doing wrong? Any suggestions?

6,115 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank darvasip author-rank
Guru

Created ‎03-16-2017 10:16 AM

@Alex Woolford

The suggested way of creating these prerequisites is by using our cli tool.

cbd azure configure-arm --app_name myapp --app_password password123 --subscription_id 1234-abcd-efgh-1234

This should create all the needed resources. For your particular case, the role assignment seems to be missing.

azure role assignment create --objectId $OBJECT_ID -o Owner -c /subscriptions/$APP_SUBSCRIPTION_ID &> $APP_NAME-assign.log

The new version of Cloudbreak coming soon will contain enhancements to automate this error-prone process from the UI.

Hope this helped!

View solution in original post

5,047 Views
3 REPLIES 3

avatar
author-rank darvasip author-rank
Guru

Created ‎03-16-2017 10:16 AM

@Alex Woolford

The suggested way of creating these prerequisites is by using our cli tool.

cbd azure configure-arm --app_name myapp --app_password password123 --subscription_id 1234-abcd-efgh-1234

This should create all the needed resources. For your particular case, the role assignment seems to be missing.

azure role assignment create --objectId $OBJECT_ID -o Owner -c /subscriptions/$APP_SUBSCRIPTION_ID &> $APP_NAME-assign.log

The new version of Cloudbreak coming soon will contain enhancements to automate this error-prone process from the UI.

Hope this helped!

5,048 Views

avatar
author-rank awoolford
Expert Contributor

Created ‎03-16-2017 03:32 PM

Thanks @pdarvasi.

The CLI tool source code was very helpful to understand the step that I missed (i.e role assignment). For some reason, the role assignment step is failing, e.g.

[root@cloudbreak cloudbreak-deployment]# azure role assignment create --objectId 0d49187f-6ca7-4a27-b276-b570c8dcba5a -o Owner -c /subscriptions/7d204bd6-841e-43fb-8638-c5eedf2ea797 &> $APP_NAME-assign.log

[root@cloudbreak cloudbreak-deployment]# cat awoolford-assign.log 
info:    Executing command role assignment create
info:    Finding role with specified name
info:    Creating role assignment
error:   The client 'awoolford@hortonworks.com' with object id '7d18df3a-d9fc-41cf-902e-2fc26a7f0b67' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/********-****-****-****-*********797'.
error:   Error information has been recorded to /root/.azure/azure.err
error:   role assignment create command failed

The associated error log has a very similar, but more verbose error:

[root@cloudbreak cloudbreak-deployment]# cat /root/.azure/azure.err
2017-03-16T14:59:12.520Z:
{ Error: The client 'awoolford@hortonworks.com' with object id '7d18df3a-d9fc-41cf-902e-2fc26a7f0b67' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/********-****-****-****-*********797'.
  <<< async stack >>>
  at __1 (/usr/lib/node_modules/azure-cli/lib/commands/arm/role/role.assignment.js:152:55)
  <<< raw stack >>>
    at Function.ServiceClient._normalizeError (/usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/services/serviceclient.js:814:23)
    at /usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/services/filters/errorhandlingfilter.js:44:29
    at Request._callback (/usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/http/request-pipeline.js:109:14)
    at Request.self.callback (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:187:22)
    at emitTwo (events.js:106:13)
    at Request.emit (events.js:191:7)
    at Request.<anonymous> (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:1044:10)
    at emitOne (events.js:101:20)
    at Request.emit (events.js:188:7)
    at IncomingMessage.<anonymous> (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:965:12)
  stack: [Getter/Setter],
  code: 'AuthorizationFailed',
  statusCode: 403,
  requestId: '49bd5570-2c2c-49a7-aead-c30581a158a2',
  __frame: 
   { name: '__1',
     line: 73,
     file: '/usr/lib/node_modules/azure-cli/lib/commands/arm/role/role.assignment.js',
     prev: undefined,
     calls: 1,
     active: false,
     offset: 79,
     col: 54 },
  rawStack: [Getter] }
Error: The client 'awoolford@hortonworks.com' with object id '7d18df3a-d9fc-41cf-902e-2fc26a7f0b67' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/********-****-****-****-*********797'.
  <<< async stack >>>
  at __1 (/usr/lib/node_modules/azure-cli/lib/commands/arm/role/role.assignment.js:152:55)
  <<< raw stack >>>
    at Function.ServiceClient._normalizeError (/usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/services/serviceclient.js:814:23)
    at /usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/services/filters/errorhandlingfilter.js:44:29
    at Request._callback (/usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/http/request-pipeline.js:109:14)
    at Request.self.callback (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:187:22)
    at emitTwo (events.js:106:13)
    at Request.emit (events.js:191:7)
    at Request.<anonymous> (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:1044:10)
    at emitOne (events.js:101:20)
    at Request.emit (events.js:188:7)
    at IncomingMessage.<anonymous> (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:965:12)

I'm a bit confused, because I know this works for other people. I'd be surprised if my Azure account was setup with different permissions from my colleagues - though that's what the error seems to suggest.

5,047 Views
0 Kudos

avatar
author-rank darvasip author-rank
Guru

Created ‎03-16-2017 06:24 PM

@Alex Woolford That could be to cause that your user is not admin, or co-admin in your subscription. This is a prerequisite, as per the documentation.

5,047 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Real time Monitoring for 7.1.9+ and 7.2.18+ with Cl...
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
View More Announcements