Enable RBAC support for MongoDB and Cassandra APIs (#2198)

* enable RBAC support for Mongo & Cassandra API * fix formatting issue * Handling AAD integration for Mongo Shell * remove empty aadToken error * fix formatting issue * added environment specific scope endpoints
2025-12-20 17:30:46 +00:00 · 2025-09-19 01:25:35 +05:30
parent cfb5db4df6
commit 76e63818d3
19 changed files with 371 additions and 91 deletions
--- a/src/Utils/APITypeUtils.ts
+++ b/src/Utils/APITypeUtils.ts
@@ -91,5 +91,11 @@ export const getItemName = (): string => {
 };

 export const isDataplaneRbacSupported = (apiType: string): boolean => {
-  return apiType === "SQL" || apiType === "Tables" || apiType === "Gremlin";
+  return (
+    apiType === "SQL" || apiType === "Tables" || apiType === "Gremlin" || apiType === "Mongo" || apiType === "Cassandra"
+  );
+};
+
+export const hasProxyServer = (apiType: string): boolean => {
+  return apiType === "Mongo" || apiType === "Cassandra";
 };
--- a/src/Utils/AuthorizationUtils.test.ts
+++ b/src/Utils/AuthorizationUtils.test.ts
@@ -104,7 +104,7 @@ describe("AuthorizationUtils", () => {

    it("should return true if dataPlaneRbacEnabled is set to true and API supports RBAC", () => {
      setAadDataPlane(false);
-      ["SQL", "Tables", "Gremlin"].forEach((type) => {
+      ["SQL", "Tables", "Gremlin", "Mongo", "Cassandra"].forEach((type) => {
        updateUserContext({
          dataPlaneRbacEnabled: true,
          apiType: type as ApiType,
@@ -115,7 +115,7 @@ describe("AuthorizationUtils", () => {

    it("should return false if dataPlaneRbacEnabled is set to true and API does not support RBAC", () => {
      setAadDataPlane(false);
-      ["Mongo", "Cassandra", "Postgres", "VCoreMongo"].forEach((type) => {
+      ["Postgres", "VCoreMongo"].forEach((type) => {
        updateUserContext({
          dataPlaneRbacEnabled: true,
          apiType: type as ApiType,
--- a/src/Utils/AuthorizationUtils.ts
+++ b/src/Utils/AuthorizationUtils.ts
@@ -1,6 +1,7 @@
 import * as msal from "@azure/msal-browser";
+import { getEnvironmentScopeEndpoint } from "Common/EnvironmentUtility";
 import { Action, ActionModifiers } from "Shared/Telemetry/TelemetryConstants";
-import { isDataplaneRbacSupported } from "Utils/APITypeUtils";
+import { hasProxyServer, isDataplaneRbacSupported } from "Utils/APITypeUtils";
 import { AuthType } from "../AuthType";
 import * as Constants from "../Common/Constants";
 import * as Logger from "../Common/Logger";
@@ -74,10 +75,12 @@ export async function acquireMsalTokenForAccount(
  if (userContext.databaseAccount.properties?.documentEndpoint === undefined) {
    throw new Error("Database account has no document endpoint defined");
  }
-  const hrefEndpoint = new URL(userContext.databaseAccount.properties.documentEndpoint).href.replace(
-    /\/+$/,
-    "/.default",
-  );
+  let hrefEndpoint = "";
+  if (isDataplaneRbacEnabledForProxyApi(userContext)) {
+    hrefEndpoint = getEnvironmentScopeEndpoint();
+  } else {
+    hrefEndpoint = new URL(userContext.databaseAccount.properties.documentEndpoint).href.replace(/\/+$/, "/.default");
+  }
  const msalInstance = await getMsalInstance();
  const knownAccounts = msalInstance.getAllAccounts();
  // If user_hint is provided, we will try to use it to find the account.
@@ -183,7 +186,11 @@ export async function acquireTokenWithMsal(

 export function useDataplaneRbacAuthorization(userContext: UserContext): boolean {
  return (
-    userContext.features.enableAadDataPlane ||
+    userContext.features?.enableAadDataPlane ||
    (userContext.dataPlaneRbacEnabled && isDataplaneRbacSupported(userContext.apiType))
  );
 }
+
+export function isDataplaneRbacEnabledForProxyApi(userContext: UserContext): boolean {
+  return useDataplaneRbacAuthorization(userContext) && hasProxyServer(userContext.apiType);
+}