2

I've set up my Azure data lake gen2 with Access Control List (ACL) access via AAD groups only (no RBAC). The container folder has been granted execute and read permission, as has the relevant sub folder and files.

I can confirm access to the ACL controlled files, via Power BI, however Azure Storage Explorer appears not to recognise the ACL permission. Is the lack of support for ACL a know limitation for Azure Storage Explorer, or is there a way to make Azure Storage Explorer recognise allocated ACL's?

Steps taken;

-created storage account as an Azure administrator, defaulted all options, except for adding hierarchical name support

-created container raw

-against container, selected Manage ACL, and added permissions for me, both Access and Default enter image description here

-Saved ACL settings

-Uploaded a file to the folder

-Opened Azure Storage Explorer

-I can see the new file under the admin account, but not under my account

enter image description here

I expected to be able to see the storage account in the yellow section. I am using version 1.20 of storage explorer

If I click on the containers Manage ACL under the user I created the storage account as, I can see permissions added as expected, I just cannot see the container under my account in Storage Explorer

enter image description here

Jules
  • 23
  • 5
  • Jules, are you using private endpoints ? I have a similar setup and I can access the files. Can you share more details as to if you have any other configurations, public access disabled, selected Vnet and firewall ? checkout: [How permissions are evaluated](https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#how-permissions-are-evaluated) and [Use Azure Storage Explorer to manage ACLs in Azure Data Lake Storage Gen2](https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-explorer-acl) – KarthikBhyresh-MT Aug 11 '21 at 18:05
  • "however Azure Storage Explorer appears not to recognize the ACL permission." please elaborate (snips would help) – KarthikBhyresh-MT Aug 11 '21 at 18:06
  • Jules, there is a know (limitation) [https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-known-issues#storage-explorer-in-the-azure-portal] for using Storage Explorer in the Azure portal. But you can use Azure Storage Explorer versions 1.6.0 or higher from (here) [https://azure.microsoft.com/en-in/features/storage-explorer/] – KarthikBhyresh-MT Aug 13 '21 at 04:18
  • 1
    @Karthik, for testing, i'm using a plain storage account, with hierarchical namespace added, no public access, no vnet, no private endpoint or firewall settings. I am running 1.20 which seems to be the latest. Downloading a new version from https://azure.microsoft.com/en-gb/features/storage-explorer/ results in same version. I'll add more details to my question – Jules Aug 16 '21 at 08:56
  • Did you try as my answer below ? – KarthikBhyresh-MT Aug 16 '21 at 09:08
  • I think that I have followed your steps. I have added evidence of the container with ACL permission - does that look like you'd expect? – Jules Aug 16 '21 at 09:28
  • Was my updated answer helpful ? – KarthikBhyresh-MT Aug 20 '21 at 14:52

1 Answers1

1

just been struggling with similar. Not sure if your situation is the same as mine but here is what I have found.

If a user has no RBAC over the storage account then they aren't able to list the containers so you wouldn't expect the account or containers to appear under there user account in Storage Explorer.

That doesn't mean you can't manually add the container though.

Goto Local&Attached>StorageAccounts. Right Click and choose Connect to Azure Storage.

enter image description here

Then select ADLS Gen2 Container or Directory

enter image description here

and then choose Azure AD as the auth method, select the relevant account if prompted, and then finally enter the full path of your container.

i.e. https://adls storage account name.dfs.core.windows.net/container name

enter image description here

And you should be good to go. Good luck!

Matt Symes
  • 21
  • 2
  • I didn’t know this until 2 weeks ago and I stumbled upon this. I can confirm that this works for containers and also directories (within a container). – Saugat Mukherjee Feb 11 '22 at 18:09
  • If we do the above, it results in person able to connect to the container but no folders or files in it. Same with me and an admin! If I create connection as you suggest it results in unusable connection. I'm running latest explorer version as of Aug 2023 so that's not it. – Gary Aug 25 '23 at 19:59