【发布时间】:2021-02-18 17:10:48
【问题描述】:
我正在尝试创建 azure 广告组、创建 devops 项目并授予 azure 广告组权限。 虽然我发现 azure 广告组不会立即同步(请参阅https://developercommunity.visualstudio.com/idea/712605/allow-manual-force-sync-azure-active-directory-to.html)
import json
PAT = 'MY_PAT'
cred = HTTPBasicAuth({mymail}, PAT)
#create AAD groups
projectName = 'projectdeploy6'
URL = "https://graph.microsoft.com/v1.0/groups"
headers = {"Authorization": f"Bearer {JWT}"}
data= {
'displayName': f'AAD_{projectName}_reader',
'mailEnabled': 'false',
'mailNickname': 'none',
'securityEnabled': 'true'
}
r = requests.post(URL, json=data,headers=headers)
string = r.content.decode('utf-8')
readerId=json.loads(string)['id']
data['displayName'] = f'AAD_{projectName}_ProjectAdmin'
r = requests.post(URL, json=data,headers=headers)
string = r.content.decode('utf-8')
adminId=json.loads(string)['id']
data['displayName'] = f'AAD_{projectName}_Contributor'
r = requests.post(URL, json=data,headers=headers)
string = r.content.decode('utf-8')
contrId=json.loads(string)['id']
# create project
requesturl = f"https://dev.azure.com/{org}/_apis/projects?api-version=6.0"
data = {
"name": projectName,
"description": "description is requred",
"capabilities": {
"versioncontrol": {
"sourceControlType": "Git"
},
"processTemplate": {
"templateTypeId": "6b724908-ef14-45cf-84f8-768b5384da45"
}
}
}
r = requests.post(requesturl, json = data, auth=cred)
time.sleep(15)
url = f"https://dev.azure.com/{org}/_apis/projects/{projectName}?api-version=6.0"
r = requests.get(url, auth=cred)
project = json.loads(r.content)
url= f"https://vssps.dev.azure.com/{org}/_apis/graph/descriptors/{project['id']}"
r = requests.get(url, auth=cred)
projectScp =json.loads(r.content)['value']
#get AAD groups
url = 'https://vssps.dev.azure.com/{org}/_apis/graph/groups?api-version=5.1-preview.1'
r = requests.get(url, auth=cred)
d = json.loads(r.content)
adminAADGroup =[group for group in d['value'] if group['originId'] == adminId][0]
readerAADGroup =[group for group in d['value'] if group['originId'] == readerId][0]
contrAADGroup =[group for group in d['value'] if group['originId'] == contrId][0]
# get ADO groups
url = f"https://vssps.dev.azure.com/{org}/_apis/graph/groups?api-version=6.0-preview.1&scopeDescriptor={projectScp}&$search='displayName:projectdeploy1 Team'"
r = requests.get(url, auth=cred)
d = json.loads(r.content)
adminADOGroup = [group for group in d['value'] if group['displayName'] == 'Project Administrators'][0]
contrADOGroup = [group for group in d['value'] if group['displayName'] == 'Contributors'][0]
readerADOGroup = [group for group in d['value'] if group['displayName'] == 'Readers'][0]
url = f"https://vssps.dev.azure.com/{org}/_apis/graph/memberships/{adminAADGroup['descriptor']}/{adminADOGroup['descriptor']}?api-version=6.1-preview.1"
r = requests.put(url, auth=cred)
json.loads(r.content)
这行失败了:
adminAADGroup =[group for group in d['value'] if group['originId'] == adminId][0]
我发现如果我进入 devops 门户网站并搜索 adminAAD 组,它将同步并重新运行脚本将导致下一行失败(获取贡献者组)。
我尝试使用邮递员拦截调用,发现它使用了这些 API。 补丁https://dev.azure.com/{org}/_apis/IdentityPicker/Identities/me/mru/common
我在邮递员中捕获了呼叫,但我试图再次调用它,但出现内部服务器错误
{
"$id": "1",
"innerException": null,
"message": "TF400898: An Internal Error Occurred. Activity Id: GUID.",
"typeName": "Microsoft.VisualStudio.Services.IdentityPicker.IdentityPickerArgumentException, Microsoft.TeamFoundation.Framework.Server",
"typeKey": "IdentityPickerArgumentException",
"errorCode": 0,
"eventId": 0
}
有没有人在上述任何方面都取得了成功?
【问题讨论】:
-
当获取贡献者组出错时,您能否在 azure devops 门户中搜索贡献者组。由于 azure devops 服务与 azure ad 同步存在延迟。您可以尝试调用
get AAD groupsapi 吗?当所有新创建的组都可以在 azure devops 门户中搜索到时。 -
可以从 devops 门户立即访问这些组,我相信对 _apis/IdentityPicker/Identities/me/mru/common 的调用会同步。编辑:澄清一下,如果我在门户中搜索新创建的组,它们就会出现。搜索后,它们还会出现在“获取 ADO 组”API 中。如果我不首先使用门户搜索它们,“获取 ADO 组”API 不会返回它们
标签: azure azure-devops azure-active-directory