none
Granting ADLv2 Folder Access via ACL

    Question

  • I'm trying to share access to a folder inside ADLv2 using ACLs. Unfortunately the user is unable see the folder inside Azure Storage Explorer. Can you please help?

    Steps taken:

    1) I have added the user as a guest account under AAD.

    2) The user has accepted the invite and gone through the usual process.

    3) I've added the guest account to a security group.

    4) Using "Manage Access" (aka ACLs) in Azure Storage Explorer: I've added the security group's object ID to the filesystem with Read access, and the first folder with full permissions.

    5) The user logs into Azure Storage Explorer and they can see the subscription but they're unable to expand it to see the folder.

    The user does not have a role assignment to the ADLv2 resource. I suspect this is the issue. However, any role assignment granted appears to give full access and does not respect the ACL. Obviously this is way too high-level, I must limit their access to a particular folder.
    Wednesday, March 20, 2019 1:15 AM

All replies

  • Hi Simon,

    Thanks for pointing this issue. I’m working with the product team and get back to you when I have more information.

    Thursday, March 21, 2019 8:27 AM
    Moderator
  • Thanks mate, that'd be great.  I gave up on folder level access and so I tried using a Shared Access Signature in Azure Storage Explorer 1.7.0.  Unfortunately, it returns the below error message when you try to do this with ADLv2.  The only option that works is using a key which is absolutely insane!

    [Window Title]
    Microsoft Azure Storage Explorer

    [Content]
    Unable to retrieve child resources.

    Details: Blob API is not yet supported for hierarchical namespace accounts.
    RequestId:4b13f853-701e-0075-793f-e01ae3000000
    Time:2019-03-21T23:43:53.6529295Z

    [OK]



    • Edited by Simon Nuss Thursday, March 21, 2019 11:46 PM
    Thursday, March 21, 2019 11:45 PM
  • Hi Simon,

    If you want to do this via ACL’s you will have to give the user Read and Execute access in step 4. 

    Another option is instead of going the ACL route, you can use RBAC and assign the user/group the reader role. This will give the user traversal rights on the folder as well.

    This is a known issue with ADLS Gen2 “Blob API is not yet supported for hierarchical namespace accounts”.

    For more details, refer “Known issue with Azure Data Lake Storage Gen2”.

    Hope this helps. If you have any further query do let us know.

    Friday, March 22, 2019 4:37 AM
    Moderator
  • Hi Simon,

    Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same. And, if you have any further query do let us know.

    Monday, March 25, 2019 6:44 AM
    Moderator