Grant access to Azure Data Lake Gen2 Access via ACLs only (no RBAC)

Question

my goal is to restrict access to a Azure Data Lake Gen 2 storage on a directory level (which should be possible according to Microsoft's promises).

I have two directories data, and sensitive in a data lake gen 2 container. For a specific user, I want to grant read access to the directory data and prevent any access to directory sensitive.

Along the documentation I removed all RBAC assignements for that user (on storage account as well as data lake container) so that I have no inherited read access on the directories. Then I added a Read-ACL statement to the data directory for that user.

My expectation:

• The user can directly download files from the data directory.
• The user can not access files of the sensitive directoy

Reality: When I try to download files from the data directory I get a 403 ServiceCode=AuthorizationPermissionMismatch

 az storage blob directory download -c containername -s data --account-name XXX --auth-mode login -d "./download" --recursive


RESPONSE Status: 403 This request is not authorized to perform this operation using this permission.

I expect that this should work. Otherwhise I only can grant access by assigning the Storage Blob Reader role but that applies to all directory and file within a container and cannot be overwritten by ACL statements. Did I something wrong here?

Answer 1

According to my research, if you want to grant a security principal read access to a file, we need to give the security principal Execute permissions to the container, and to each folder in the hierarchy of folders that lead to the file. for more details, please refer to the document

Answer 2

I found that I could not get ACLs to work without an RBAC role. I ended up creating a custom "Storage Blob Container Reader" RBAC role in my resource group with only permission "Microsoft.Storage/storageAccounts/blobServices/containers/read" to prevent access to listing and reading the actual blobs.