Configure anonymously accessible Azure Data Lake Gen 2

Question

Configure anonymously accessible Azure Data Lake Gen 2

My requirement is to create a Data Lake that is publicly accessible from the internet, in the context of proactive data disclosure.

I create an Storage Account and uploaded a file.

The URL to the file's blob is publicly accessible from a browser, e.g.:

https://<storageaccount>.blob.core.windows.net/<container>/<file>

However, the DFS url to the same file, e.g:

https://<storageaccount>.dfs.core.windows.net/<container>/<file>

Returns an error:

{"error":{"code":"AuthenticationFailed","message":"Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:...\nTime:..."}}

Ultimately, I would like anyone outside the organization to create Power BI reports connecting to this data lake, following the steps here: https://learn.microsoft.com/en-us/power-query/connectors/datalakestorage

The article prerequisite is:

You are granted one of the following roles for the storage account: Blob Data Reader, Blob Data Contributor, or Blob Data Owner.

Is there a way to grant "Blob Data Reader" to "everyone"/anonymous users?

MartinJaffer-MSFT 25,571 Reputation points Microsoft Employee

2022-02-09T17:25:42.54+00:00

Hello @Jean-Luc Montreuil
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet .In case if you have any resolution please do share that same with the community as it can be helpful to others . Otherwise, will respond back with the more details and we will try to help .
Thanks
Jean-Luc Montreuil 1 Reputation point

2022-02-09T19:37:05.567+00:00

Hi @MartinJaffer-MSFT

I confirmed that the Public Access was already set to "Container".
I can access individual blobs within the data lake from a browser, but I still can't connect to it using the Power BI Azure Data Lake Gen 2 connector.

I can provide the link, if needed, this is just test data.
MartinJaffer-MSFT 25,571 Reputation points Microsoft Employee

2022-02-10T17:09:38.007+00:00

A bit of clarification, @Jean-Luc Montreuil .

Azure Data Lake Gen2 only applies if the storage account has "Hierarchical Namespace" enabled. This is what differentiates Azure Blob Storage from Azure Data Lake Gen2.

The .blob.core.windows.net indicated Azure Blob Storage, while dfs.core.windows.net indicates Azure Data Lake Gen2.

Both use the same RBAC.

At the bottom of the document you linked, in the troubleshooting section, it mentions :

Currently, in Power Query Online, the Azure Data Lake Storage Gen2 connector only supports paths with container, and not subfolder or file. For example, https://<accountname>.dfs.core.windows.net/<container> will work, while https://<accountname>.dfs.core.windows.net/<container>/<filename> or https://<accountname>.dfs.core.windows.net/<container>/<subfolder> will fail.

I'm not certain if or how this would relate to your situation as I am not a Power Query Online user.
Jean-Luc Montreuil 1 Reputation point

2022-02-14T12:59:34.843+00:00

I have selected "Hierarchical Namespace" when creating the storage account.

My issue is that if I use a URL like:

mystorageaccount.dfs.core.windows.net/mycontainer

I get a permission denied error in Power BI and the browser. Is Azure Data Lake Gen 2 not compatible with public access?
MartinJaffer-MSFT 25,571 Reputation points Microsoft Employee

2022-02-22T20:50:48.543+00:00

I could understand a permission error from PowerBI, as it is a complex application and may have some quirks I am not familiar with. However, a simple web browser should not get any error message.

There is one thing that comes to mind. Being able to list the contents of a folder is fundamentally a different action than reading a blob. This difference could be the source of the error. In this case the ACLs (of the folder) should give eXecute permission to Others. The execute permission is associated with the ability to list contents of a folder. The 'Other' refers to anyone not the file/folder owner, and not in the associated group.

@ JeanLucMontreuil-4856

MartinJaffer-MSFT 25,571 Reputation points Microsoft Employee

2022-02-09T17:25:42.54+00:00

Hello @Jean-Luc Montreuil
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet .In case if you have any resolution please do share that same with the community as it can be helpful to others . Otherwise, will respond back with the more details and we will try to help .
Thanks
Jean-Luc Montreuil 1 Reputation point

2022-02-09T19:37:05.567+00:00

Hi @MartinJaffer-MSFT

I confirmed that the Public Access was already set to "Container".
I can access individual blobs within the data lake from a browser, but I still can't connect to it using the Power BI Azure Data Lake Gen 2 connector.

I can provide the link, if needed, this is just test data.
MartinJaffer-MSFT 25,571 Reputation points Microsoft Employee

2022-02-10T17:09:38.007+00:00

A bit of clarification, @Jean-Luc Montreuil .

Azure Data Lake Gen2 only applies if the storage account has "Hierarchical Namespace" enabled. This is what differentiates Azure Blob Storage from Azure Data Lake Gen2.

The .blob.core.windows.net indicated Azure Blob Storage, while dfs.core.windows.net indicates Azure Data Lake Gen2.

Both use the same RBAC.

At the bottom of the document you linked, in the troubleshooting section, it mentions :

Currently, in Power Query Online, the Azure Data Lake Storage Gen2 connector only supports paths with container, and not subfolder or file. For example, https://<accountname>.dfs.core.windows.net/<container> will work, while https://<accountname>.dfs.core.windows.net/<container>/<filename> or https://<accountname>.dfs.core.windows.net/<container>/<subfolder> will fail.

I'm not certain if or how this would relate to your situation as I am not a Power Query Online user.
Jean-Luc Montreuil 1 Reputation point

2022-02-14T12:59:34.843+00:00

I have selected "Hierarchical Namespace" when creating the storage account.

My issue is that if I use a URL like:

mystorageaccount.dfs.core.windows.net/mycontainer

I get a permission denied error in Power BI and the browser. Is Azure Data Lake Gen 2 not compatible with public access?
MartinJaffer-MSFT 25,571 Reputation points Microsoft Employee

2022-02-22T20:50:48.543+00:00

I could understand a permission error from PowerBI, as it is a complex application and may have some quirks I am not familiar with. However, a simple web browser should not get any error message.

There is one thing that comes to mind. Being able to list the contents of a folder is fundamentally a different action than reading a blob. This difference could be the source of the error. In this case the ACLs (of the folder) should give eXecute permission to Others. The execute permission is associated with the ability to list contents of a folder. The 'Other' refers to anyone not the file/folder owner, and not in the associated group.

@ JeanLucMontreuil-4856

Answer 1

Hello @Jean-Luc Montreuil and welcome to Microsoft Q&A.

As I understand the ask, you want to make some blobs publicly accessible.

Depending upon how far you want to go, you could set the entire container to be publicly accessible. You can do this by going to the container listing, and after selecting one or more containers, clicking "Change Access Level". See picture.

Specifies whether data in the container may be accessed publicly. By default, container data is private to the account owner. Use 'Blob' to allow public read access for blobs. Use 'Container' to allow public read and list access to the entire container.

The difference between these modes, is whether you will allow someone to "navigate" or "browse" (container mode). When set to 'Blob' mode, the user must know the exact url.

This would be the easiest way, however if there are some items in the container you want to keep private, additional action must be taken.

Please don't forget to click on or upvote button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how

Configure anonymously accessible Azure Data Lake Gen 2

1 answer

Activity