自动更改安全组的 Azure DevOps 存储库的权限
[英]Automation of changing permission of Azure DevOps repository for a security group
问题描述
I want to write a PowerShell code to change permission of a ]Azure DevOps repository for a security group Manual process is documented in this article.]( https://learn.microsoft.com/en-us/azure/devops/repos/git/set-git-repository-permissions?view=azure-devops )
我想编写一个 PowerShell 代码来更改安全组的 Azure DevOps 存储库的权限 本文中记录了手动过程。]( https://learn.microsoft.com/en-us/azure/devops/repos/ git/set-git-repository-permissions?view=azure-devops )
Please help me with above.请帮我上面。
1 个解决方案
解决方案1
0 2022-11-15 19:42:26
I've blogged about the process on how to do this , not on the REST API perse, but using the az devops CLI. 我已经在博客上介绍了如何执行此操作的过程,不是在 REST API 本身,而是使用az devops CLI。
The process is quite complex, since the permission model of Azure DevOps uses GUIDs and tokens for the permissions, users and access control list items.这个过程相当复杂,因为 Azure DevOps 的权限 model 对权限、用户和访问控制列表项使用 GUID 和令牌。
az devops calls the REST API under the hood, you could use fiddler to have a peek at the REST calls that are made to achieve the same thing. az devops在后台调用 REST API,您可以使用 fiddler 查看为实现相同目的而进行的 REST 调用。
The general process looks like this:一般过程如下所示:
$subject = az devops security group list `
--org "https://dev.azure.com/$org/" `
--scope organization `
--subject-types vssgp `
--query "graphGroups[?@.principalName == '[$org]\Project Collection Administrators'].descriptor | [0]"
$namespaceId = az devops security permission namespace list `
--org "https://dev.azure.com/$org/" `
--query "[?@.name == 'Git Repositories'].namespaceId | [0]"
$bit = az devops security permission namespace show `
--namespace-id $namespaceId `
--org "https://dev.azure.com/$org/" `
--query "[0].actions[?@.name == 'PullRequestBypassPolicy'].bit | [0]"
az devops security permission update `
--id $namespaceId `
--subject $subject `
--token "repoV2/" `
--allow-bit $bit `
--merge true `
--org https://dev.azure.com/$org/
The token is made up of a number of identifiers:令牌由许多标识符组成:
repoV2/daec401a-49b6-4758-adb5-3f65fd3264e3/f59f38e0-e8c4-45d5-8dee-0d20e7ada1b7/refs/heads/6600650061007400750072006500/6d0069006e006500
^ ^ ^ ^
| | | |
| | | -- The branch
| | -- The Git Repository
| -- The Team Project Guid
|
-- The root object (Repositories)
This sets the permissions for all git repos, the blog contains the code to generate a --token for a specific branch:这设置了所有 git 存储库的权限,该博客包含为特定分支生成--token的代码:
function hexify($string) {
return ($string | Format-Hex -Encoding Unicode | Select-Object -Expand Bytes | ForEach-Object { '{0:x2}' -f $_ }) -join ''
}
$branch = "feature/mine"
$split = $branch.Split("/")
$hexBranch = ($split | ForEach-Object { hexify -string $_ }) -join "/"
$token = "refs/heads/$hexBranch"
refs/heads/6600650061007400750072006500/6d0069006e006500
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.