2

I need to enable one external user, to be able to access a single directory in a single container in my datalake, in order to upload some data. From what I see in the documentation, it should be possible to simply use RBAC & ACL, so that the user can authenticate himself later on using Powershell and Connect-AzureAD(or to obtain a OAuth2 token).

However, I am having trouble with all those inherited permissions. Once I add a user to my active directory, he is not able to see anything, unless I give him at least reader access on the subscription level. This gives him at least reader permission on all the resources in this subscription, which cannot be removed.

Is it possible to configure this access in such a way, that my user is only able to see a single datalake, single container, and a single folder within this container?

Grevioos
  • 355
  • 5
  • 30
  • `unless I give him at least reader access on the subscription level.` - You need not do that. You can simply assign `reader` access on the data lake only. – Gaurav Mantri Aug 03 '21 at 15:16
  • @GauravMantri Thank you for your answer! Yes, but in this case, he gets reader access on all of the containers as well, which I would rather avoid. – Grevioos Aug 03 '21 at 15:22
  • 1
    I don't think so. Reader access is essentially a control plane access which will allow the user to login into Azure Portal and navigate to the data lake account (that's the only thing they will see). Access to container is a data plane access which is separate than your control plane access. – Gaurav Mantri Aug 03 '21 at 15:27

1 Answers1

0

If you want just the one user to access only a single directory/container in your storage account, you should rather look at Shared Access Signatures or Stored Access policies.

For SAS : https://husseinsalman.com/securing-access-to-azure-storage-part-4-shared-access-signature/

For SAS built on top of Stored Acess Policies : https://husseinsalman.com/securing-access-to-azure-storage-part-5-stored-access-policy/

Once you have configured the permissions just for that directory/container, you can send that Shared Access Signature to the user and he/she can use Azure Storage Explorer to perform and file upload/delete etc actions on your container.

Download Azure storage explorer here : https://azure.microsoft.com/en-us/features/storage-explorer/#overview

For how to use Azure Storage Explorer : https://www.red-gate.com/simple-talk/cloud/azure/using-azure-storage-explorer/

More on using Azure storage explorer with azure data lake Gen 2 : https://medium.com/microsoftazure/guidance-for-using-azure-storage-explorer-with-azure-ad-authorization-for-azure-storage-data-access-663c2c88efb

Rimaz Mohommed
  • 1,176
  • 10
  • 16