1. 我有一个 App1 (MultiTenant)，它在 HomeTenant1 中并且有 Clientid1。
2. 此 App1 在 Tenant2 中注册为服务主体。
3. 此 App1 然后在订阅的 Tenant2 中分配了几个角色 级范围。前任。在 Tenant2 的 Subs2 上说 贡献者 角色。
4. 我想通过 Java SDK 确定如何获取角色列表 分配给 Tenent2 上的此 SP。

这可以通过 az cli 完成 az 角色分配列表 --all --assignee

但我们希望通过 Java SDK 获得它。 以下是我们尝试过的代码片段。

 public class AzureRoles {
     private final  static String TENANT_ID = "redacted"; //target tenant
     private final static String CLIENT_ID = "redacted"; // From apps home tenant
     private final static String SUBSCRIPTIONID = "redacted"; //target tenant
     private final static String CLIENT_SECRET = "redacted"; // From apps home tenant
    
    
     public static void main(String []args) throws Exception {
         try {
             AzureProfile profile = new AzureProfile(TENANT_ID,SUBSCRIPTIONID,AzureEnvironment.AZURE);
             ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
                     .clientId(CLIENT_ID)
                     .clientSecret(CLIENT_SECRET)
                     .tenantId(TENANT_ID)
                     .build();
             System.out.println(clientSecretCredential);
             System.out.println(profile.getSubscriptionId());
             AzureResourceManager azureResourceManager = AzureResourceManager
                     .authenticate(clientSecretCredential,profile)
                     .withSubscription(SUBSCRIPTIONID);
             System.out.println(azureResourceManager);
             RoleDefinition roleDefinition = azureResourceManager.accessManagement().roleDefinitions()
                     .getByScopeAndRoleName("subscriptions/" + profile.getSubscriptionId(),"Contributor");
             StringBuilder builder = new StringBuilder()
                     .append("Role Definition: ").append(roleDefinition.id())
                     .append("\n\tName: ").append(roleDefinition.name())
                     .append("\n\tRole Name: ").append(roleDefinition.roleName())
                     .append("\n\tType: ").append(roleDefinition.type())
                     .append("\n\tDescription: ").append(roleDefinition.description())
                     .append("\n\tType: ").append(roleDefinition.type());
    
             Set<Permission> permissions = roleDefinition.permissions();
             builder.append("\n\tPermissions: ").append(permissions.size());
             for (Permission permission : permissions) {
                 builder.append("\n\t\tPermission Actions: " + permission.actions().size());
                 for (String action : permission.actions()) {
                     builder.append("\n\t\t\tName :").append(action);
                 }
                 builder.append("\n\t\tPermission Not Actions: " + permission.notActions().size());
                 for (String notAction : permission.notActions()) {
                     builder.append("\n\t\t\tName :").append(notAction);
                 }
             }
    
             Set<String> assignableScopes = roleDefinition.assignableScopes();
             builder.append("\n\tAssignable scopes: ").append(assignableScopes.size());
             for (String scope : assignableScopes) {
                 builder.append("\n\t\tAssignable Scope: ")
                         .append("\n\t\t\tName :").append(scope);
             }
    
             System.out.println(builder.toString());
         } catch (Exception e) {
             System.out.println(e.getMessage());
             e.printStackTrace();
         }
    
    
     }
 }

它在 azureResourceManager 分配中抛出 NPE。

有关如何在 Java SDK 中完成此操作的任何想法？

更新 1

新代码：

import com.azure.core.credential.TokenCredential;
import com.azure.core.http.rest.PagedIterable;
import com.azure.core.management.AzureEnvironment;
import com.azure.core.management.profile.AzureProfile;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.azure.resourcemanager.AzureResourceManager;
import com.azure.resourcemanager.authorization.models.RoleAssignment;
import com.azure.resourcemanager.authorization.models.RoleDefinition;


public class AzureRoles {
private final  static String TENANT_ID = "redacted";
private final static String HOME_TENANT_ID = "redacted";
private final static String CLIENT_ID = "redacted";
private final static String SUBSCRIPTIONID = "redacted";
private final static String CLIENT_SECRET =  "redacted";


public static void main(String []args) throws Exception {
    try {
        AzureProfile profile = new AzureProfile(TENANT_ID,AzureEnvironment.AZURE);
        TokenCredential clientSecretCredential = new ClientSecretCredentialBuilder()
                .clientId(CLIENT_ID)
                .clientSecret(CLIENT_SECRET)
                .tenantId(TENANT_ID)
                .authorityHost(profile.getEnvironment().getActiveDirectoryEndpoint())
                .build();
        System.out.println(clientSecretCredential);

        System.out.println(profile);
        AzureResourceManager azureResourceManager = AzureResourceManager
                .authenticate(clientSecretCredential,profile)
                .withSubscription(SUBSCRIPTIONID) ;
        System.out.println(azureResourceManager);
        PagedIterable<RoleAssignment> items =azureResourceManager.accessManagement().roleAssignments()
                .listByServicePrincipal("redacted");

        for (RoleAssignment item:items) {
            RoleDefinition role = azureResourceManager.accessManagement().roleDefinitions().getById(item.roleDefinitionId());
            System.out.println(role.roleName());
        }
    } catch (Exception e) {
        System.out.println(e.getMessage());
        e.printStackTrace();
    }


 }
}

错误信息

com.azure.identity.ClientSecretCredential@5223e5ee
com.azure.core.management.profile.AzureProfile@bef2d72
null
java.lang.NullPointerException
at java.util.Objects.requireNonNull(Objects.java:203)
at com.azure.core.http.policy.BearerTokenAuthenticationPolicy.<init>(BearerTokenAuthenticationPolicy.java:36)
at com.azure.core.management.http.policy.ArmChallengeAuthenticationPolicy.<init>(ArmChallengeAuthenticationPolicy.java:47)
at com.azure.resourcemanager.resources.fluentcore.policy.AuthenticationPolicy.<init>(AuthenticationPolicy.java:28)
at com.azure.resourcemanager.resources.fluentcore.utils.HttpPipelineProvider.buildHttpPipeline(HttpPipelineProvider.java:74)
at com.azure.resourcemanager.resources.fluentcore.utils.HttpPipelineProvider.buildHttpPipeline(HttpPipelineProvider.java:45)
at com.azure.resourcemanager.AzureResourceManager.authenticate(AzureResourceManager.java:163)
at AzureRoles.main(AzureRoles.java:32)

解决方法

        String clientId="";
        String clientSecret="";
        String tenant="";
        String subId="";
        AzureProfile profile = new AzureProfile(tenant,subId,AzureEnvironment.AZURE);
        TokenCredential credential = new ClientSecretCredentialBuilder()
                .clientId(clientId)
                .clientSecret(clientSecret)
                .authorityHost(profile.getEnvironment().getActiveDirectoryEndpoint())
                .tenantId(tenant)
                .build();


        AzureResourceManager azureResourceManager = AzureResourceManager
                .authenticate(credential,profile)
                .withSubscription(subId);


        PagedIterable<RoleAssignment> items =azureResourceManager.accessManagement().roleAssignments()
                .listByServicePrincipal("the object id of sp");

        for (RoleAssignment item:items) {

          RoleDefinition role = azureResourceManager.accessManagement().roleDefinitions().getById(item.roleDefinitionId());
            System.out.println(role.roleName());
        }