Add credential Scope keyword (Azure#20987)

* Support for audience

* Update CHANGELOG.md

* Update sdk/monitor/azure-monitor-query/azure/monitor/query/_metrics_query_client.py

Author: Rakshith Bhyravabhotla

sdk/monitor/azure-monitor-query/CHANGELOG.md

@@ -1,6 +1,6 @@
 # Release History
 
-## 1.0.0b5 (Unreleased)
+## 1.0.0b5 (2021-10-05)
 
 ### Features Added
 
@@ -9,6 +9,7 @@
 - Added `LogsQueryStatus` Enum to describe the status of a result.
 - Added a new `LogsTableRow` type that represents a single row in a table.
 - Items in `metrics` list in `MetricsResult` can now be accessed by metric names.
+- Added `audience` keyword to support providing credential scope when creating clients.
 
 ### Breaking Changes
 
@@ -19,10 +20,6 @@
 - `query_batch` API now returns a union of `LogsQueryPartialResult`, `LogsQueryError` and `LogsQueryResult`.
 - `metric_namespace` is renamed to `namespace` and is a keyword-only argument in `list_metric_definitions` API.
 
-### Bugs Fixed
-
-### Other Changes
-
 ## 1.0.0b4 (2021-09-09)
 
 ### Features Added

sdk/monitor/azure-monitor-query/README.md

@@ -14,6 +14,10 @@ The Azure Monitor Query client library is used to execute read-only queries agai
 - [Samples][samples]
 - [Change log][changelog]
 
+## _Disclaimer_
+
+_Azure SDK Python packages support for Python 2.7 is ending 01 January 2022. For more information and questions, please refer to https://github.com/Azure/azure-sdk-for-python/issues/20691_
+
 ## Getting started
 
 ### Prerequisites

sdk/monitor/azure-monitor-query/azure/monitor/query/_helpers.py

@@ -15,32 +15,38 @@
 
 
 def get_authentication_policy(
-    credential,  # type: TokenCredential
+    credential,  # type: "TokenCredential"
+    audience=None # type: str
 ):
     # type: (...) -> BearerTokenCredentialPolicy
     """Returns the correct authentication policy"""
-
+    if not audience:
+        audience = "https://api.loganalytics.io/"
+    scope = audience.rstrip('/') + "/.default"
     if credential is None:
         raise ValueError("Parameter 'credential' must not be None.")
     if hasattr(credential, "get_token"):
         return BearerTokenCredentialPolicy(
-            credential, "https://api.loganalytics.io/.default"
+            credential, scope
         )
 
     raise TypeError("Unsupported credential")
 
 
 def get_metrics_authentication_policy(
     credential,  # type: TokenCredential
+    audience=None # type: str
 ):
     # type: (...) -> BearerTokenCredentialPolicy
     """Returns the correct authentication policy"""
-
+    if not audience:
+        audience = "https://management.azure.com/"
+    scope = audience.rstrip('/') + "/.default"
     if credential is None:
         raise ValueError("Parameter 'credential' must not be None.")
     if hasattr(credential, "get_token"):
         return BearerTokenCredentialPolicy(
-            credential, "https://management.azure.com/.default"
+            credential, scope
         )
 
     raise TypeError("Unsupported credential")

sdk/monitor/azure-monitor-query/azure/monitor/query/_logs_query_client.py

@@ -49,15 +49,20 @@ class LogsQueryClient(object):
     :type credential: ~azure.core.credentials.TokenCredential
     :keyword endpoint: The endpoint to connect to. Defaults to 'https://api.loganalytics.io'.
     :paramtype endpoint: str
+    :keyword audience: URL to use for credential authentication with AAD.
+    :paramtype audience: str
     """
 
     def __init__(self, credential, **kwargs):
         # type: (TokenCredential, Any) -> None
-
-        self._endpoint = kwargs.pop("endpoint", "https://api.loganalytics.io/v1")
+        audience = kwargs.pop("audience", None)
+        endpoint = kwargs.pop("endpoint", "https://api.loganalytics.io/v1")
+        if not endpoint.startswith("https://") and not endpoint.startswith("http://"):
+            endpoint = "https://" + endpoint
+        self._endpoint = endpoint
         self._client = MonitorQueryClient(
             credential=credential,
-            authentication_policy=get_authentication_policy(credential),
+            authentication_policy=get_authentication_policy(credential, audience),
             base_url=self._endpoint,
             **kwargs
         )

sdk/monitor/azure-monitor-query/azure/monitor/query/_metrics_query_client.py

@@ -44,15 +44,21 @@ class MetricsQueryClient(object):
     :type credential: ~azure.core.credentials.TokenCredential
     :keyword endpoint: The endpoint to connect to. Defaults to 'https://management.azure.com'.
     :paramtype endpoint: str
+    :keyword audience: URL to use for credential authentication with AAD.
+    :paramtype audience: str
     """
 
     def __init__(self, credential, **kwargs):
         # type: (TokenCredential, Any) -> None
+        audience = kwargs.pop("audience", None)
         endpoint = kwargs.pop("endpoint", "https://management.azure.com")
+        if not endpoint.startswith("https://") and not endpoint.startswith("http://"):
+            endpoint = "https://" + endpoint
+        self._endpoint = endpoint
         self._client = MonitorQueryClient(
             credential=credential,
-            base_url=endpoint,
-            authentication_policy=get_metrics_authentication_policy(credential),
+            base_url=self._endpoint,
+            authentication_policy=get_metrics_authentication_policy(credential, audience),
             **kwargs
         )
         self._metrics_op = self._client.metrics

sdk/monitor/azure-monitor-query/azure/monitor/query/aio/_helpers_asyc.py

@@ -13,29 +13,35 @@
 
 def get_authentication_policy(
     credential: "AsyncTokenCredential",
+    audience: str = None
 ) -> AsyncBearerTokenCredentialPolicy:
     """Returns the correct authentication policy"""
-
+    if not audience:
+        audience = "https://api.loganalytics.io/"
+    scope = audience.rstrip('/') + "/.default"
     if credential is None:
         raise ValueError("Parameter 'credential' must not be None.")
     if hasattr(credential, "get_token"):
         return AsyncBearerTokenCredentialPolicy(
-            credential, "https://api.loganalytics.io/.default"
+            credential, scope
         )
 
     raise TypeError("Unsupported credential")
 
 
 def get_metrics_authentication_policy(
     credential: "AsyncTokenCredential",
+    audience: str = None
 ) -> AsyncBearerTokenCredentialPolicy:
     """Returns the correct authentication policy"""
-
+    if not audience:
+        audience = "https://management.azure.com/"
+    scope = audience.rstrip('/') + "/.default"
     if credential is None:
         raise ValueError("Parameter 'credential' must not be None.")
     if hasattr(credential, "get_token"):
         return AsyncBearerTokenCredentialPolicy(
-            credential, "https://management.azure.com/.default"
+            credential, scope
         )
 
     raise TypeError("Unsupported credential")

sdk/monitor/azure-monitor-query/azure/monitor/query/aio/_logs_query_client_async.py

@@ -35,13 +35,19 @@ class LogsQueryClient(object):
     :type credential: ~azure.core.credentials_async.AsyncTokenCredential
     :keyword endpoint: The endpoint to connect to. Defaults to 'https://api.loganalytics.io/v1'.
     :paramtype endpoint: str
+    :keyword audience: URL to use for credential authentication with AAD.
+    :paramtype audience: str
     """
 
     def __init__(self, credential: "AsyncTokenCredential", **kwargs: Any) -> None:
-        self._endpoint = kwargs.pop("endpoint", "https://api.loganalytics.io/v1")
+        audience = kwargs.pop("audience", None)
+        endpoint = kwargs.pop("endpoint", "https://api.loganalytics.io/v1")
+        if not endpoint.startswith("https://") and not endpoint.startswith("http://"):
+            endpoint = "https://" + endpoint
+        self._endpoint = endpoint
         self._client = MonitorQueryClient(
             credential=credential,
-            authentication_policy=get_authentication_policy(credential),
+            authentication_policy=get_authentication_policy(credential, audience),
             base_url=self._endpoint,
             **kwargs
         )

sdk/monitor/azure-monitor-query/azure/monitor/query/aio/_metrics_query_client_async.py

@@ -32,14 +32,20 @@ class MetricsQueryClient(object):
     :type credential: ~azure.core.credentials.TokenCredential
     :keyword endpoint: The endpoint to connect to. Defaults to 'https://management.azure.com'.
     :paramtype endpoint: str
+    :keyword audience: URL to use for credential authentication with AAD.
+    :paramtype audience: str
     """
 
     def __init__(self, credential: "AsyncTokenCredential", **kwargs: Any) -> None:
+        audience = kwargs.pop("audience", None)
         endpoint = kwargs.pop("endpoint", "https://management.azure.com")
+        if not endpoint.startswith("https://") and not endpoint.startswith("http://"):
+            endpoint = "https://" + endpoint
+        self._endpoint = endpoint
         self._client = MonitorQueryClient(
             credential=credential,
-            base_url=endpoint,
-            authentication_policy=get_metrics_authentication_policy(credential),
+            base_url=self._endpoint,
+            authentication_policy=get_metrics_authentication_policy(credential, audience),
             **kwargs
         )
         self._metrics_op = self._client.metrics