3

Under the Access blade in the portal it shows that I am the Owner but it also says

Your Permissions

me@domain.onmicrosoft.com's effective permissons on this folder are: None

In AAD I can see that that me@domain.onmicrosoft.com is associated with my account, which is listed as "My Name" under Owners.

I am trying to access a folder I created using permissions from a AAD application...

The error I get is:

LISTSTATUS failed with error 0x83090aa2 (Forbidden. ACL verification failed. Either the resource does not exist or the user is not authorized to perform the requested operation.).

When I go into the root folder and go to the access blade, then click "advanced" and try to apply folder permissions to sub-folders (Apply to children button), it says

AccessControlException: SETACL failed with error 0x83090aa2 (Forbidden. ACL verification failed. Either the resource does not exist or the user is not authorized to perform the requested operation.).

Does anyone know how to solve this?

Thank you!

AMZ
  • 540
  • 4
  • 15

4 Answers4

0

There are multiple things that are getting mixed up in this question making it difficult to answer. In abstract, here is a general document with an FAQ that explains the entire security model. https://learn.microsoft.com/en-us/azure/data-lake-store/data-lake-store-access-control

Kindly go through it and then perhaps repost/modify with a more specific repro of your problem. Here is the type of information that will make the question more concrete:

  1. Your folder structure to the root
  2. Permissions at each node including owner
  3. Who the access is happening as
  4. Expected and Actual outcome
Amit Kulkarni
  • 910
  • 4
  • 11
  • 1
    Hi Amit, sorry I forgot to come back to answer this. It turns out it was an issue on Azure's side. Something with changes having a delay because with no changes it was resolved. The point of the question is that I was the Owner role, which I understand should be given permissions to view everything regardless of folder structure or ownership at each individual node. I could have made that more clear. https://learn.microsoft.com/en-us/azure/data-lake-store/data-lake-store-access-control#the-super-user – AMZ Dec 16 '17 at 20:07
  • @AMZ so, does this mean it is an Azure bug? I do have exactly the same problem, I just added an owner, and this owner can't do anything yet, like changing permissions at the folder level, however I thought an owner was able to do everything within ADLS. – dim_user Apr 03 '19 at 14:44
0

I ran into something similar and thought I'd post for everyone even though it seems like you solved yours.

Problem: Couldn't access folders within ADLS regardless of permission set (only super user could.)

Solution: Found here . As super user go to Data Explorer within ADLS. Then hit the access key on the top bar. Grant permission as desired.

Think they added this extra step so you could be more granular. Prob could use a hint when permission users in ADLS "This doesnt actually allow you to see or do anything...."

Corbin Hudson
  • 176
  • 2
  • 8
0

One of the typical cases when you got "Forbidden" response is that your AAD application does not have "Execute" permissions on all folders hierarchy, started from the root.

E.g. if your folder is /abc/def your AAD app should have Execute permissions for the root: /, /abc and /abc/def to be able to read or write data to /abc/def folder.

You can see how it works in the Overview of access control in Data Lake Storage Gen1

Alexander Rakov
  • 1
0

I was getting a similar error. After trial and error, i found out that somebody from my team had mounted a datalake with mount point '\mnt'.

so, I did

dbutils.fs.unmount('\mnt\')

This did the trick!

Mruthyunjaya R
  • 16
  • 3