SFTP USER PERMİSSİON

yildiray 0 Reputation points
2024-11-27T13:42:04.72+00:00

Question 1:

"I have configured Azure SFTP with a username and password for a specific container. Is it possible to restrict this user to only see certain files within the container while preventing access to other files in the same container? If yes, how can I configure these permissions?"


Question 2:

"I want a single SFTP user to access multiple containers in Azure Storage. I gave the user full permissions to all containers and set the Home Directory to /. However, I cannot connect using FileZilla—it fails to connect. How can I configure an SFTP user to access all containers and resolve the connection issue with FileZilla?"

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,269 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,978 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Vinod Kumar Reddy Chilupuri 1,600 Reputation points Microsoft Vendor
    2024-11-27T16:23:51.4766667+00:00

    Hi @yildiray

    Welcome to Microsoft Q&A, thanks for posting your query.
    Access management for cloud resources is a critical function for any organization that is using the cloud. Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources.
    Question 1:

    Yes, you can restrict an Azure SFTP user to access only specific files in a container. To do this, you’ll need to use Azure Role-Based Access Control (RBAC) and configure Access Control Lists (ACLs) for the files in the container.

    you can follow the steps below:

    Assign the "Storage Blob Data Reader" role to the user at the storage account level to provide basic read access. 

    Then, configure ACLs for specific files by navigating to the container in the Azure portal, selecting a file, and setting permissions using Access Control Lists (ACLs). Grant read or write access only for that user on specific files and restrict access to other files by not assigning permissions.

    Please follow the below documentation:

    What is Azure role-based access control (Azure RBAC)? | Microsoft Learn

    https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#about-acls

     

    Question 2:

    To allow an SFTP user to access multiple containers and resolve the FileZilla issue, you can assign the "Storage Blob Data Contributor" role to the SFTP user for all the containers they need access to and set the Home Directory to "/" in Azure SFTP settings. This will allow them to access all containers directly from the root folder.

    If you are facing issues with FileZilla, you can verify that you are using the correct SFTP connection details, such as hostname, username, and password.
    FileZilla sometimes struggles with root-level access ("/") for Azure SFTP, so you can try specifying a direct container as the initial path (e.g., /containername) in FileZilla’s advanced settings.

    For more information on how to set up Azure SFTP, you can follow the Microsoft documentation

    https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support-how-to?tabs=azure-portal

    Please feel free to contact if the issue persists, we will be glad to assist you closely. Please do consider clicking on "Accept Answer" and "Up-vote" on the post that helps you, as it can be beneficial to other community members.

    0 comments No comments

  2. Sina Salam 13,371 Reputation points
    2024-11-27T17:39:54.75+00:00

    Hello yildiray,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you want clarity about SFTP USER PERMİSSİON.

    Regarding your question 1: Restricting an Azure SFTP user to access only specific files in a container.

    Azure SFTP does not natively support restricting access to individual files within a single container. However, the following approaches can help you achieve file-level isolation effectively:

    1. Move Files to Separate Containers:
    • Organize files into separate containers based on their access requirements.
    • Assign appropriate RBAC roles (e.g., "Storage Blob Data Reader") to the SFTP user for specific containers. This ensures the user can only access the containers they are permitted to use.

    Steps to Assign Roles:

    • Navigate to the Azure Portal.
    • Open the target storage account and go to Access Control (IAM).
    • Assign the "Storage Blob Data Reader" role to the user for specific containers.

    Learn more about RBAC: https://learn.microsoft.com/en-us/azure/role-based-access-control/overview

    1. If SFTP is not mandatory, generate SAS tokens to provide granular access to specific files or containers. This method is highly flexible and suitable for non-SFTP clients like Azure Storage Explorer or API-based tools.

    Steps to Generate SAS Tokens:

    • In the Azure Portal, navigate to the storage account.
    • Select Shared Access Signature under Security + Networking.
    • Specify permissions (e.g., read or write), the target file, and expiration date.
    • Use the generated SAS token to grant access securely.

    NOTE: Why ACLs Are Not Suitable, Access Control Lists (ACLs) apply to Azure Data Lake Storage Gen2 accounts, are not compatible with Azure SFTP. Azure SFTP access relies on RBAC roles for permission management, making ACLs irrelevant for this scenario.

    Regarding your question 2: Allowing an SFTP user to access multiple containers and resolving FileZilla connection issues.

    Azure SFTP supports access to multiple containers, but users must specify the target container explicitly as part of their connection string. Follow these steps to enable access and troubleshoot connection issues:

    1. Enable Access to Multiple Containers:
    • Assign the "Storage Blob Data Contributor" role to the user at the storage account level to grant access to all containers.
    • Alternatively, assign the same role to individual containers if more granular access is needed. Steps to Assign the Role:
    • Go to the Azure Portal.
    • Navigate to the storage account's Access Control (IAM).
    • Add a role assignment and select "Storage Blob Data Contributor" or "Storage Blob Data Reader" for the user.
    1. Configure FileZilla for Azure SFTP:
    • Host: Use the format sftp://<storage_account_name>.blob.core.windows.net.
    • Username: Use the format <container-name>/<username> (e.g., container1/user1).
    • Password: Enter the SFTP password configured for the user.
    • Port: Set to 22.
    • Initial Path: In FileZilla, specify the target container as the initial directory in "Site Manager" > "Advanced" (e.g., /containername).
    1. If FileZilla struggles with root-level navigation (/), ensure the following:
    • The SFTP user’s configuration is correct (username format, permissions, etc.).
    • Logs from FileZilla indicate the issue. Adjust settings based on errors.
    • Test with an initial path, e.g., /containername, to avoid navigation issues.
    1. If FileZilla continues to fail, try alternative tools like WinSCP or the SFTP command-line client: using bash command:
       sftp <container-name>/<username>@<storage_account_name>.blob.core.windows.net
    

    Verify if the issue is specific to FileZilla or the Azure SFTP configuration.

    1. NOTES:
    • Azure SFTP does not support setting the home directory to / (root level) for navigating all containers. Each connection must specify a container explicitly.
    • Ensure the SFTP feature is enabled for the storage account in the Azure Portal under Secure Transfer settings.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.


    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.