none
Want data lake architecture with SSO username passed through

    Question

  • I have a data lake with sensitive data.  I want to set up a SPN that has access to that data.  I then want users to get access by having their single-sign-on username passed through to the SPN account.  In this way:

    - the only access to the data is through the SPN.

    - we can monitor which users are accessing the data through the SSO username associated with that SPN connection.

    - As users increase, we simply increase the number of SPN connections

    This is very similar to the old mainframe model and relational systems.  Is there any way of passing through a SSO username to another AAD connection?

    Many thanks!


    Thursday, April 26, 2018 5:11 PM

All replies

  • Hi Beken - You can't do this within the Data Lake Store, file and folder access is provided based on the credentials with which you access the store.  You can provide access permissions to the store to as many service principals as you like (with a limit of 28 per file or folder), so if you wanted to do the user-to-SPN mapping in your app I suppose you could.  

    What additional security are you trying to achieve via this method? 

    Friday, April 27, 2018 2:45 AM
  • We have publishers who put data in the lake.  They grant access to specific folders of a limited number of groups of users.  The publishers don't know the individuals in the groups, so they want the ability to kill the whole groups access easily, by simply revoking access to that group, rather than having to revoke access to individual folders/files that group has access to.

    They also want to know which groups are accessing their data, so that's why we need the groups "username" or SSO ID passed through.

    This method also adds an extra layer of security by not giving the groups direct access to the lake at all.  The ACL is controlled by a middle tier list of tables/files that each group can access.  This mechanism also enables us to add row-level security on specific tables, based on the groups SSO ID.

    Hope this helps.

    Thanks

    Phil

    Friday, April 27, 2018 3:26 PM
  • Have you looked at using security groups?  You could delete the group to revoke access as well, or remove from the Owners role if that's what you were doing with your service principal.  You can also easily add/remove individual users from the group without having to touch individual files/folders. This way you don't need the pass through of the user name either.  

    Tuesday, May 1, 2018 8:22 PM
  • Hi.  Thanks - yes we have.  The issue we have is the sheer numbers of people involved.  It also doesn't solve the issue of which specific person is accessing the data.  Many thanks for the suggestion though.
    Tuesday, May 1, 2018 11:10 PM