Share via

Azure ACLs not being Honoured and Respected

Parth Soni 0 Reputation points
2023-02-14T14:16:14.07+00:00

Azure acls not being honoured at all. I have gone through all the Microsoft documents to make the directory level access control work but no luck.

I thoroughly carefully went through Access Control Model article and the section "Permissions table: Combining Azure RBAC and ACL" but still no luck.

I have a .Net DataLakeFileUpload client app which developed to upload files to data Lake file system container using Service Principal. I configured service principal assignable scope to the container level, so no other container can be accessible by this sp. All good till now. Following the access control model, I gave only read permission to the Actions and DataActions in Azure custom role (cloning Storage Blob Data Reader), hoping that now ACLs will take care of directly level security and acces but ACLs are getting bypassed totally by the SP.

I correctly configured the ACL on all the root directory to the child item following the example given by documentation but it's not working. That Service Principal can't be able write anything to the directory where it supposed to write data, on folder with -wx permission.

If I provide the customer RBAC to write permission in dataActions, then it can write files anywhere in the whole container, totally bypass the AcLs and dishonouring it.

I am totally blank on how to make directory level control access work.

Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,545 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
982 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SaiKishor-MSFT 17,336 Reputation points
    2023-02-15T20:54:21.6233333+00:00

    @Parth Soni Thanks for reaching out to Microsoft Q&A.

    It sounds like you're having trouble getting the ACLs to work as expected in your Azure Data Lake Storage Gen2 setup. To help you troubleshoot the issue, I would recommend checking the following:

    1. Make sure that the Azure role assignments are correctly configured for the service principal. The role assignments take priority over the ACLs, so if the service principal has write access through a role assignment, the ACLs will not be evaluated.
    2. Verify that the ACLs are correctly set on the directories and files. You can use the Azure portal, Azure CLI, or Azure Storage REST API to view and modify the ACLs.
    3. Ensure that the service principal has the correct permissions to perform the operations you want it to perform. For example, if you want the service principal to write to a directory, it needs to have write permissions on that directory.
    4. If you're still having trouble, you can try using the Azure Storage REST API to perform the operations and see if you get any error messages that can help you diagnose the issue.

    Please refer to this document that shows you - How the permissions are evaluated for ACLS in ADLS Gen2-

    https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control-model#how-permissions-are-evaluated

    If you're still having trouble, please provide more details about your setup and the exact error messages you're encountering so I can assist further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.