question

SanjayKrishna-6679 avatar image
0 Votes"
SanjayKrishna-6679 asked PierreLucGiguere-5297 commented

Azure Couldnt able to assign ACL permissions for a user on directory level

I am trying to add other user to a directory 'grandfather/' which is in container 'container1'. I have permissions of owner role and storage blob contributor role on Subscription and storage account level and the other user also having same permissions like me on subscription(owner) and storage account(blob contributor). I have rwx permissions on directory 'grandfather/' but still I couldn't able to add other user to 'grandfather/' directory.
Pasting some images to get more clear understanding.135126-image.png135181-image1.png

I am using the below script to add a user to directory level permissions using ACL feature in ADLS2. However, facing some issues.

$ctx = New-AzStorageContext -StorageAccountName "vdsve"
$ctx.storageAccountName

Get the origin ACL

$acl = (Get-AzDataLakeGen2Item -Context $ctx -FileSystem "container1" -Path 'grandfather/').ACL

Update permission of a new ACL entry (if ACL entry with same AccessControlType/EntityId/DefaultScope not exist, will add a new ACL entry, else update permission of existing ACL entry)

$acl = Set-AzDataLakeGen2ItemAclObject -AccessControlType user -EntityId 5dc9dc7e-359d-4dd0-81b0-5d47c26b4969 -Permission rw- -InputObject $acl

set the new acl to the directory

update-AzDataLakeGen2Item -Context $ctx -FileSystem "container1" -Path 'grandfather/' -ACL $acl



error:
This request is not authorized to perform this operation using this permission. RequestId:41b245b6-e01f-0012-4379-b130d7000000
| Time:2021-09-24T19:25:19.6219270Z Status: 403 (This request is not authorized to perform this operation using this permission.) ErrorCode:
| AuthorizationPermissionMismatch Headers: Server: Windows-Azure-HDFS/1.0,Microsoft-HTTPAPI/2.0 x-ms-error-code: AuthorizationPermissionMismatch
| x-ms-request-id: 41b245b6-e01f-0012-4379-b130d7000000 x-ms-version: 2020-04-08 x-ms-client-request-id: 0aaa8de1-65bb-4f75-9365-0a5fc3e0feb6 Date: Fri,
| 24 Sep 2021 19:25:19 GMT Content-Length: 227 Content-Type: application/json; charset=utf-8


azure-storage-accountsazure-blob-storage
image.png (57.4 KiB)
image1.png (40.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

PierreLucGiguere-5297 avatar image
0 Votes"
PierreLucGiguere-5297 answered PierreLucGiguere-5297 commented

Hi,

You need to be "Storage Blob data owner" on the Storage Account.

I can't remember where I read this but it was something like:

“Unlike other areas in Azure the Owner permissions don’t implicitly give you access to these ‘lower level’ permissions"

Let me know if it fixes your problem and don't forget to mark the answer if it did.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No, I have tried @PierreLucGiguere-5297. It is not helping me. I have assigned storage blob owner role and even I gave access for other user(target) as well storage blob owner role.

![135136-image.png][1]


0 Votes 0 ·
image.png (21.7 KiB)

Hi Sanjay,

Sorry to read it didn't work. I finally stumbled upon the documentation I wanted to refer to you:

[...] explicitly assign the Storage Blob Data Contributor role to the user account under which you will run the [...] code.

ref: https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app?tabs=dotnet#net-code-example-create-a-block-blob

Looks like I gave you the wrong role.

0 Votes 0 ·