ADLS Gen2 -->;文件夹级别的 ACL

发布于 2025-01-11 00:18:24 字数 580 浏览 0 评论 0原文

我对 ADLS Gen2 的权限有疑问

简短描述： 我有一个 Gen2 存储帐户并创建了一个容器。

文件夹结构看起来像这样

StorageAccount1
  --->Container1
       --->Folder1
          --->Files 1....n

我还有一个来自客户的服务主体.. 现在我必须向客户提供仅对Folder1 的写权限（不应删除Folder1 内的文件）

我已在访问控制列表中分配以下权限的服务原则

Container1 --> Execute    
Folder1 --> Write , Execute

，客户现在可以将数据放入此Folder1 中。但我如何防止他删除里面的任何文件呢？（我不想使用 SAS ）或者除了ACL还有其他方法吗？

请帮忙:)

ADLSgen2 的 ACL

原文

I have a question regarding permissions for ADLS Gen2

short description:
I have a Gen2 storage account and created a container.

Folder Structure looks something like this

StorageAccount1
  --->Container1
       --->Folder1
          --->Files 1....n

Also i have a service principal from a customer..
Now i have to provide the customer write only permission to only Folder1 (should not be able to delete files inside Folder1)

I have assigned the service principle below permissions in the Access control list

Container1 --> Execute    
Folder1 --> Write , Execute

with this the customer can now put data into this Folder1.. but how do i prevent him from deleting any files inside it? ( i dont wanna use SAS )
Or is there any other way other than ACL?

Please help :)

ACL for ADLSgen2

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

落在眉间の轻吻 2025-01-18 00:18:24

请检查以下是否可以工作。

ACL 是控制对文件应用的访问权限的方法，
文件夹级别与其他容器级别不同。
最佳实践是始终使用 (Azure RBAC) 限制访问
在存储帐户/容器级别上有几个Azure内置的
您可以分配给用户、组、服务主体和
托管身份，然后与具有更多限制的 ACL 结合
对文件和文件夹级别的控制。

例如：存储 Blob 数据贡献者具有读/写/删除权限。分配 Azure 角色

如果内置角色不能满足特定需求你的
组织，您可以创建自己的 Azure 自定义角色。

参考

要分配角色，必须为您分配一个具有角色分配写入权限的角色，例如您尝试分配角色的范围内的所有者或用户访问管理员。

创建具有自定义权限的自定义角色。

创建一个新文件 C:\CustomRoles\customrole1.json，如下例所示。在初始角色创建时，该 ID 应设置为 null
新的ID会自动生成。

{
       "Name": "Restrict user from  delete operation on Storage",
       "ID": null,
       "IsCustom": true,
       "Description": "This role will restrict the user from delete operation on the storage account. However, customer will be able to see the storage account, container, blob.",

  "Actions": [
    "Microsoft.Storage/storageAccounts/read",
    "Microsoft.Storage/storageAccounts/blobServices/containers/read",
    "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
  ],

  "NotActions": [
    "Microsoft.Storage/storageAccounts/blobServices/containers/delete"
  ],

  "DataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
  ],

  "NotDataActions": [   
    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
  ],


       "AssignableScopes": [

              "/subscriptions/dxxxx7-xxxx"
       ]
}

使用上述角色定义，通过运行以下 powershell 脚本来创建自定义角色：

New-AzRoleDefinition -InputFile "C:\CustomRoles\customrole1.json"

请参阅下面的参考资料：了解详细信息。

还尝试启用软删除用于在角色具有删除权限的情况下恢复删除操作。

尽管提到不要使用。以防万一。共享访问签名 (SAS) 可用于限制对 Blob 容器或单个 Blob 的访问。 Blob 存储中的文件夹是虚拟的，而不是真实的文件夹。您可以参考本文提到的建议

参考资料

Please check if below can be worked.

ACLs are the way to control access to be applied on the file and
folder level unlike others which are for container level.
Best practice is to always restrict access using (Azure RBAC)
on the Storage Account/Container level has several Azure built-in
roles that you can assign to users, groups, service principals, and
managed identities and then combine with ACLs with more restrictive
control on the file and folder level.

Ex: Storage Blob Data Contributor has read/write/delete permission .Assign an Azure role

If the built-in roles don't meet the specific needs of your
organization, you can create your own Azure custom roles.

Reference

To assign roles, you must be assigned a role that has role assignments write permission, such as Owner or User Access Administrator at the scope you are trying to assign the role.

To create a custom role with customized permissions.

Create a new file C:\CustomRoles\customrole1.json like example below. The ID should be set to null on initial role creation as a
new ID is generated automatically.

{
       "Name": "Restrict user from  delete operation on Storage",
       "ID": null,
       "IsCustom": true,
       "Description": "This role will restrict the user from delete operation on the storage account. However, customer will be able to see the storage account, container, blob.",

  "Actions": [
    "Microsoft.Storage/storageAccounts/read",
    "Microsoft.Storage/storageAccounts/blobServices/containers/read",
    "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
  ],

  "NotActions": [
    "Microsoft.Storage/storageAccounts/blobServices/containers/delete"
  ],

  "DataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
  ],

  "NotDataActions": [   
    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
  ],


       "AssignableScopes": [

              "/subscriptions/dxxxx7-xxxx"
       ]
}

Using the above role definition, by running the below powershell script to create a custom role:

New-AzRoleDefinition -InputFile "C:\CustomRoles\customrole1.json"

see below References: for details.

Also try to enable soft delete to restore delete actions if the role has delete permissions .

Though mentioned to not use .Just in case .Shared access signature (SAS) can be used to restrict access to blob container or an individual blob. Folder in blob storage is virtual and not a real folder. You may refer to the suggestion mentioned in this article

References

回复收藏 0 原文

~没有更多了~