Give read-write permissions on blob storage recursively using C#

Khandu Shinde 20 Reputation points
2023-03-28T09:00:16.3566667+00:00

I have a container in one of the data lake. There are multiple folders into that container. Now I want to give specific access/permission using C#. Basically I have to create a function (webhook) which will give permissions to folders into container. Is it feasible? If yes, then how?

sample input:

path=/container/folder1

group=custom_group

permission type = r-w

Thank you in advance.

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,355 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,302 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,654 questions
Accepted answer
  1. Pramod Valavala 20,591 Reputation points Microsoft Employee
    2023-03-28T21:45:36.7+00:00

    @Khandu Shinde The official docs have code snippets on how you can set ACL of a directory and recursively as well. The newer classes seem to be PathAccessControl and PathAccessControlItem.

    When setting for a custom group, you need to set the Object ID GUID like this

    group:<Group Object ID>:r--

    You could also set the entityId property as shown in the recursive example. Use an object like this

    new PathAccessControlItem(
    AccessControlType.Group,
    RolePermissions.Read,
    false,
    entityId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" // Group Object ID
)

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sedat SALMAN 13,170 Reputation points
    2023-03-28T19:55:39.8333333+00:00

    You can use the Azure.Storage.Blobs library instead of the Azure.Storage.Files.DataLake library

    using Azure.Storage.Blobs;
using Azure.Storage.Blobs.Models;
using Azure.Storage.Sas;
using System;
// Set the connection string for the storage account
string connectionString = "<your connection string>";
// Set the container name and folder name
string containerName = "<your container name>";
string folderName = "<your folder name>";
// Set the access level (e.g. "r" for read, "rw" for read and write)
string accessLevel = "<your access level>";
// Set the group name
string groupName = "<your group name>";
// Create a new blob service client using the connection string
BlobServiceClient blobServiceClient = new BlobServiceClient(connectionString);
// Get the container client for the specified container name
BlobContainerClient containerClient = blobServiceClient.GetBlobContainerClient(containerName);
// Get the blob client for the specified folder name and create a Shared Access Signature (SAS)
BlobClient blobClient = containerClient.GetBlobClient(folderName + "/");
BlobSasBuilder sasBuilder = new BlobSasBuilder()
{
BlobContainerName = containerName,
BlobName = folderName + "/",
Resource = "c",
ExpiresOn = DateTimeOffset.UtcNow.AddDays(1)
};
sasBuilder.SetPermissions(accessLevel);
string sasToken = sasBuilder.ToSasQueryParameters(new Azure.Storage.StorageSharedKeyCredential("<your storage account name>", "<your storage account key>")).ToString();
// Set the access policy for the folder using the SAS token
BlobSignedIdentifier signedIdentifier = new BlobSignedIdentifier()
{
Id = groupName,
AccessPolicy = new BlobAccessPolicy()
{
StartsOn = DateTimeOffset.UtcNow,
ExpiresOn = DateTimeOffset.UtcNow.AddDays(1),
Permissions = accessLevel
}
};
containerClient.SetAccessPolicy(permissions: new BlobSignedIdentifier[] { signedIdentifier });
Console.WriteLine($"Access granted for group {groupName} with access level {accessLevel} to folder {folderName} in container {containerName}.");