Granting git fetch permissions (but not git push) on Azure Web Sites - azure

Which RBAC permissions control access to git fetch and git push when using a local Git repository? Is it possible (using a custom RBAC role) to grant git fetch permissions without git push permissions?

That is not currently supported. The RBAC situation is:
if you're a Reader on the site, you can't access the scm site at all, and hence can't use git.
if you're contributor or higher, you have full scm access, and can both fetch and push.
I'd suggest relying on github or bitbucket to give someone read only access to the repo.

Related

Limited access user on Azure DevOps on-premise can add/delete folders

We have Azure DevOps on-premise server 2020.1 RTW, we wanted to add users/groups with limited access to Wiki pages only. We added the group to the project and added the user to the group and updated all the permissions from Project Security to: Deny except for: View project-level information permission (set to: Allow). Permissions have also been updated from Collection Security settings. The user currently can view Wiki pages but he can also add/delete Pipeline folders. Any idea on how can we revoke the folder deletion permission? Note: I followed the below articles but the issue still not resolved:
https://learn.microsoft.com/en-us/azure/devops/pipelines/policies/set-permissions?view=azure-devops&viewFallbackFrom=vsts
How to restrict access to Pipelines in Azure DevOps
Update: Included Image for access control summary for Pipeline level permissions:
This is the access control summary for Pipeline security
As per my knowledge we may set different level of pipeline permissions for the users.
Pipeline permissions are the permissions associated with pipelines in an Azure DevOps project. Permissions in Azure DevOps are hierarchical and can be set at the organization, server (for on-premises), project, and object levels.
Object-level permissions are designed to be more granular than organization-level permissions. For example, a user could have access to your Azure repository thanks to their organization-level permissions. However, that same user could be prevented from running a pipeline manually because of that pipeline's permissions.
Here is the reference for pipeline permissions https://learn.microsoft.com/en-us/azure/devops/pipelines/policies/permissions?view=azure-devops#pipeline-permissions-reference
This for access levels in azure devops
https://learn.microsoft.com/en-us/azure/devops/organizations/security/access-levels?view=azure-devops

Databricks Repo with Azure DevOps - 400 Bad Request when trying to add repo

when trying to use the databricks Repo feature with AzureDevOps, I am not able to add a repo to my databricks workspace add repo and I am getting a Bad Request as Response error message.
Under User settings -> Git Integration -> Git Provider I have selected Azure Devops Services and in advanced settings Notebook Git Versioning is enabled.
I tried with a different browser, aswell as in private mode. In addition I tried to delete my cookies, but still got the same error. The integration to GitHub with a PAT works fine. I am also able to sync notebooks to the Azure DevOps repository, but the repo feature itself is not working.
I work in a corporate environment and we use single sign on with Azure Active Directory to authenticate to the Workspace. I really dont have an idea what causes the issue.
My only guess is that something AD authentification related is not set properly.
Sometimes when trying to access the workspace via the azure portal I receive the message that my account has no Contributer or Owner Role on the workspace role warning, which is strange since I am an admin in the Databricks workspace. After clicking on sign in with AzureAD I receive the warning: AADSTS90015: Requested query string is too long query string warning. However if I click back in the browser and click again on sign in with AzureID I am able to access the workspace.
The 400 Bad Request is an error from Azure DevOps. We would recommend you reach out to Azure DevOps support for help on this.
Regarding the role warning, this is related to your permissions on the workspace object in Azure Active Directory (rather than your admin permissions in the workspace) - the error message indicates that when we looked up your permissions in Azure, they didn't match those of either a contributor or owner on the workspace. However, if you are a contributor and see this error occasionally, that is unexpected behavior and we can surface this internally.
Check if your account that signed in Databricks has the correct permissions in the workspace on Azure Portal, and on Azure DevOps to access the Git repository.
You also can try to use the same account to sign in Azure DevOps to see if you can access the specified repository.
For more details, you can see "Azure Databricks - Repos for Git integration".

In Azure DevOps project Repos not showing

Even though I have Project Admin, Contributor access. In Azure DevOps project, Repos not showing/visible.
Go to Organization Settings->Users->Manage user->Check the user's access level. If their access level is stakeholder, they cannot access the repository.
Change user access level from stakeholder to basic.

Giving a script Git access to a single Azure Repo

I want to poll an Azure Repo for changes with Git. A personal access token from my account would give it too much permissions.
Should I create a new user in Azure AD, add it to Azure Repo with read only and use it in the script? Or is there a better way than creating real users.
If you want to allow your git script to only access one specific Azure Repo. I'm afraid you will need to create a new user as a service account.
After the service account is created and added to your azure devops organization. You can set its access permission to only one repo in the project settings page. See below:
First deny its access to all the repositories.
Project settings-->Click Git repositories-->Search for the service account-->Deny Read permission
Then allow the Read permission to that one specific repository.
Project settings-->Select the repository you want allow the read permission-->Search for the service account-->Allow Read permission
The PAT generated from this service account will only have the access to that specific repo.

Some organisation's GitHub repositories are missing for continuous deployment on Azure

Context
We use the Deployment options of our Azure App Service to link it to one of our GitHub repositories, so that every pull request is automatically deployed.
We gave Azure access to our GitHub organisation via a dedicated GitHub account, which is set as an owner of the organisation (as an owner, the user is admin of all the repositories of the organisation).
Our organisation has 386 GitHub repositories.
Problem
Some of the repositories that we used to deploy are not available in the list of repositories anymore. Some others are still available.
What we checked
The missing repositories belong to our organisation.
Our dedicated GitHub user is admin of those missing repositories.
The 3rd-party access has been granted to Azure in GitHub (Azure Management Portal - Primary & Azure Management Portal - Secondary).
What we tried
We merged a PR in one of the missing repositories. It did not change anything.

Resources