2

Azure Data Lake Gen 2 has two levels of access control; roles based access controls (RBAC) and access control lists (ACL). RBAC function at the container level and ACL can function at the directory and file level. For child objects of a directory to inherit the ACL of the parent, the "Default" permissions need to be specified to be the same as the access permission of the parent.

See: https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#default-permissions-on-new-files-and-directories

My issue is that I'm seeing behavior where child directories inherit their parent's ACL but child files do not.

My steps were thus:

  1. Create a AAD group, something like "Consumers"
  2. In Microsoft Azure Storage Explorer, create a new directory ("foo"), right click "foo", select "Manage Access", select "Add", add the "Consumers" group to the list, check [x] Access with [x] Read and [x] Execute. Check [x] Default with [x] Read and [x] Execute.
  3. Write an Azure Function that copies blobs from a container to something like "foo/dataset/2020/05/myblob.csv" in the container with managed access.
  4. Drill down directories; "dataset" directory has same ACL as "foo" as does "2020" and "05". But "myblob.csv" does not include the "Consumers" group in its ACL at all.

Is this unexpected behavior or am I missing something fundamental here?

It seems to be an issue with Functions, or the Azure Data Lake Gen 2 SDK (C#) used in the Function.

Using Azure Storage Explorer, when I manually add a file under a directory that I've added the "Consumers" group to it applies the expected ACL. It also works when I add a directory containing a file - both the file in the subdirectory and the subdirectory have expected ACL.

Thanks

[edit] Is this related to the umask when writing the file with the C# SDK? Do I need to override the default mask to allow files to inherit permissions of their parent? https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#the-mask

[edit2] I think it's related to using DataLakeFileClient.Rename to "move" the blob. I suspect the blob retains its original ACL instead of inheriting the ACL from its new parent. Writing a test...

brudert
  • 537
  • 8
  • 21
  • Is this problem solved? – Hemant Chandurkar Jul 17 '20 at 10:49
  • 1
    @HemantChandurkar, kind of. It turns out my hunch was correct in my second edit. Using DataLakeFileClient.Rename does retain original ACL. I created a feature request in June: https://github.com/Azure/azure-sdk-for-net/issues/12512 – brudert Jul 17 '20 at 19:13
  • 1
    I have a similar problem and have not found a solution. My problem is that all the files I create inherit the default ACL's with the exception of the mask (for any folders everything is ok). Because of the mask, all the the other service principal permissions have a warning that states "The following access permissions are beyond the bounds of the mask for this entity: Execute". I'm not sure what kind of effects does this have, but no matter what I do to the parent folder I cannot change this behavior. Any file added will have all these warnings. – FabianVal Aug 06 '20 at 18:58
  • @FabianVal Any solution? I am also facing same issue – Roshan Birar Oct 21 '20 at 05:52
  • @RoshanBirar did you manage to find a solution? – Bee_Riii Dec 08 '21 at 11:14

1 Answers1

1

Use Azure Storage Explorer to set the permissions. And use the "propagate access-list" feature to set proper permissions.

Psingla
  • 21
  • 1
  • 5