Reputation: 537
Azure Data Lake Gen 2 default access control list not being applied to new files
Azure Data Lake Gen 2 has two levels of access control; roles based access controls (RBAC) and access control lists (ACL). RBAC function at the container level and ACL can function at the directory and file level. For child objects of a directory to inherit the ACL of the parent, the "Default" permissions need to be specified to be the same as the access permission of the parent.
My issue is that I'm seeing behavior where child directories inherit their parent's ACL but child files do not.
My steps were thus:
- Create a AAD group, something like "Consumers"
- In Microsoft Azure Storage Explorer, create a new directory ("foo"), right click "foo", select "Manage Access", select "Add", add the "Consumers" group to the list, check [x] Access with [x] Read and [x] Execute. Check [x] Default with [x] Read and [x] Execute.
- Write an Azure Function that copies blobs from a container to something like "foo/dataset/2020/05/myblob.csv" in the container with managed access.
- Drill down directories; "dataset" directory has same ACL as "foo" as does "2020" and "05". But "myblob.csv" does not include the "Consumers" group in its ACL at all.
Is this unexpected behavior or am I missing something fundamental here?
It seems to be an issue with Functions, or the Azure Data Lake Gen 2 SDK (C#) used in the Function.
Using Azure Storage Explorer, when I manually add a file under a directory that I've added the "Consumers" group to it applies the expected ACL. It also works when I add a directory containing a file - both the file in the subdirectory and the subdirectory have expected ACL.
Thanks
[edit] Is this related to the umask when writing the file with the C# SDK? Do I need to override the default mask to allow files to inherit permissions of their parent? https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#the-mask
[edit2] I think it's related to using DataLakeFileClient.Rename to "move" the blob. I suspect the blob retains its original ACL instead of inheriting the ACL from its new parent. Writing a test...
Upvotes: 2
Views: 3205
Answers (1)
Reputation: 21
Use Azure Storage Explorer to set the permissions. And use the "propagate access-list" feature to set proper permissions.
Upvotes: 1
Related Questions
- Azure ADLS Gen2 file created by Azure Databricks doesn't inherit ACL
- Azure Data Lake storage Gen2 permissions
- Azure FileShare on Docker returns Unable to apply new capability set
- Azure Storage Explorer failing with Access Control Lists
- data factory loses permissions when copying from data lake (gen1) to blob storage
- 403 error when trying to access file system in Azure data lake storage Gen 2 via REST API
- Azure Data Lake Storage Gen2 access token generation - "AADSTS65001: The user or administrator has not consented to use the application with ID
- Azure Data Lake Child Folder permissions using Powershell
- Azure Data Lake Store SDK : FileStatusProperties.ChildrenNum Property always null
- Azure Data Lake Store access failure: Response status code indicates server error: 403 (Forbidden)