问题描述
我的目标是在目录级别上限制对Azure Data Lake Gen 2存储的访问(根据微软的承诺,这应该是可能的).
我在data lake gen 2容器中有两个目录 data
和 sensitive
.对于特定用户,我想授予对目录 data
的读取访问权限,并阻止对目录 sensitive
的任何访问.
沿
my goal is to restrict access to a Azure Data Lake Gen 2 storage on a directory level (which should be possible according to Microsoft's promises).
I have two directories data
, and sensitive
in a data lake gen 2 container. For a specific user, I want to grant read access to the directory data
and prevent any access to directory sensitive
.
Along the documentation I removed all RBAC assignements for that user (on storage account as well as data lake container) so that I have no inherited read access on the directories. Then I added a Read-ACL statement to the data
directory for that user.
My expectation:
- The user can directly download files from the
data
directory. - The user can not access files of the
sensitive
directoy
Reality:When I try to download files from the data directory I get a 403 ServiceCode=AuthorizationPermissionMismatch
az storage blob directory download -c containername -s data --account-name XXX --auth-mode login -d "./download" --recursive
RESPONSE Status: 403 This request is not authorized to perform this operation using this permission.
I expect that this should work. Otherwhise I only can grant access by assigning the Storage Blob Reader role but that applies to all directory and file within a container and cannot be overwritten by ACL statements. Did I something wrong here?
According to my research, if you want to grant a security principal read access to a file, we need to give the security principal Execute permissions to the container, and to each folder in the hierarchy of folders that lead to the file. for more details, please refer to the document
这篇关于仅通过ACL授予对Azure Data Lake Gen2访问的访问权限(无RBAC)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!