Share via

Write Access for Azure Data Lake Gen 2 Container

Rohit Sharma 21 Reputation points
2020-09-14T08:12:14.177+00:00

Hi,

I have an Azure Data Lake Gen 2 Storage Account. I have created multiple containers inside it say A , B & C. Now , I want to control access for files & folders for respective containers.
I have tried giving the following access -

  • Storage Account Level - Reader Access to User U1
  • Container Level - Contributor Access to User U1 for Container C
  • ACL - No changes made

My expectation is that User U1 will be able to create folders & files in Container C but will only be able to Read files in Container A & B but will not be able to modify the folders & files in container A & B

However, this is not working.

My user can see the files & folders in Container C, but can not modify them.

What am I doing wrong?

Please advise

Rohit

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,389 questions
0 comments
Accepted answer
  1. PRADEEPCHEEKATLA-MSFT 81,391 Reputation points Microsoft Employee
    2020-09-14T09:08:03.703+00:00

    Hello @Rohit Sharma ,

    Welcome to Microsoft Q&A platform.

    Only roles explicitly defined for data access permit a security principal to access blob or queue data. Roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account.
    Access to blob or queue data in the Azure portal can be authorized using either your Azure AD account or the storage account access key. For more information, see Use the Azure portal to access blob or queue data.

    Azure provides the following Azure built-in roles for authorizing access to blob and queue data using Azure AD and OAuth:

    • Storage Blob Data Owner: Use to set ownership and manage POSIX access control for Azure Data Lake Storage Gen2. For more information, see Access control in Azure Data Lake Storage Gen2.
    • Storage Blob Data Contributor: Use to grant read/write/delete permissions to Blob storage resources.
    • Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources.
    • Storage Blob Delegator: Get a user delegation key to use to create a shared access signature that is signed with Azure AD credentials for a container or blob.
    • Storage Queue Data Contributor: Use to grant read/write/delete permissions to Azure queues.
    • Storage Queue Data Reader: Use to grant read-only permissions to Azure queues.
    • Storage Queue Data Message Processor: Use to grant peek, retrieve, and delete permissions to messages in Azure Storage queues.
    • Storage Queue Data Message Sender: Use to grant add permissions to messages in Azure Storage queues.

    To understand more in detail, you may go to Storage Account => Access Control (IAM) => Roles => Click on (…) => Permissions

    24448-adls-gen2-reader.jpg

    Checkout permissions for Reader:

    24380-adls-gen2-reader-permissions.jpg

    Checkout permissions for Storage Blob Data Contributor:

    24330-adlsgen2-sbco.png

    Hope this helps. Do let us know if you any further queries.

    ----------------------------------------------------------------------------------------

    Do click on "Accept Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest