In ADLS, when using the DataLakeServiceClient, does every user have access to view the ACL for each directory?

Question

Hello,

I'm working on an application that needs to replicate ADLS access controls which are configured by Access Control LIsts. I'm using the python SDK with the InteractiveBrowserCredential class to authenticate a user through their Azure account. The user then requests access to a directory in Azure Data Lake Storage. The application uses the InteractiveBrowserCredential to create a DataLakeServiceClient which then creates a directory client for the requested directory.

To check whether the user has access to the requested directory, my application uses directory_client.get_access_control() to get the access control list of the directory and then parses the list to make sure the authenticated user has read access to the directory, at which point they can use the application as needed.

My question is: Should it be expected that every user can get the access control list of each directory in the Data Lake Storage bucket even if they don't have read access to the objects in that directory? From my testing this appears to be true, but I just want to make sure my understanding is correct or if I've somehow misconfigured the security settings on my ADLS setup.

Answer 1

Hi @Luke - Thanks for posting your question in here.

In the POSIX-style model used by Data Lake Storage Gen2, the access control lists (ACLs) for an item are stored on the item itself. Therefore, in order to retrieve the access control list of a directory, a user would need to have read access to that directory. If a user does have read access on the directory, they would ideally be able to retrieve the access control list for that directory.

So, I believe this is correct i.e. the user will be able to call that method to view the ACL however unless they are part of owner and owning group, they won't be able to make any updates to that. This could be also because even internally too the call would be made to check whether a user has permission to perform a particular operation further or not.

Hope this helps!

Answer 2

Hello Luke,

Thank you for posting your query here!

Adding on to the previous response, in the POSIX-style model used by Azure Data Lake Storage Gen2, the Access Control Lists (ACLs) for an item are stored on the item itself. Therefore, a user would need to have read access to a directory to retrieve the ACL for that directory.

Being able to view the ACL does not necessarily mean the user can modify it. Only the owner of the directory or members of the owning group (who have been granted the necessary permissions) can modify the ACL.

So, while a user can call the get_access_control() method to view the ACL, they would need additional permissions to update it. This is part of the security model of Azure Data Lake Storage Gen2, which is designed to provide fine-grained access control and prevent unauthorized modifications.

Your application seems to be correctly using these principles to check whether a user has permission to perform a particular operation. Kindly note that it’s always a good practice to follow the principle of least privilege, granting users only the permissions they need to perform their tasks. 

Do let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.