none
Container permissions randomly changing

    Question

  • I have a storage account that is used for Media Services input and output assets, and after each transcode is done I set the container permissions to BlobContainerPublicAccessType.Blob via the Storage Client Library v4.3.0. Once set, we don't change it.

    Days or weeks later, on dozens of the containers, the permissions are discovered to have mysteriously been reset to BlobContainerPublicAccessType.Off.  Tired of manually discovering them by playback failures, I finally wrote an app that enumerates all the containers and sets the permissions back to Blob again if they are Off, and I run this periodically as needed. They often seem to be a bit "clumped" together in terms of StorageUri proximity (ie: GUIDs in path are often close to each other).

    Is there anything at all that is "known" about this, or does anyone have any clues? If not I'll submit a support ticket.

    Thanks,

    Galan

    Monday, June 29, 2015 8:46 PM

Answers

  • Hi, Shirisha.

    The code is quite simple and it works:

    CloudBlobContainer container = blobClient.GetContainerReference(path.Segments[1]);
    container.SetPermissions(new BlobContainerPermissions { PublicAccess = BlobContainerPublicAccessType.Blob });
    

    And the setting stays for days or weeks, and then out of nowhere we discover some of them have changed. We have no other code anywhere that works with the permissions, and I'm the only person with access to the storage account.

    It sounds like opening a support ticket is the right path for now. I'll create one.

    Thanks,

    Galan

    Tuesday, June 30, 2015 3:56 PM
  • I would recommend enabling Analytics and specifically logging. We could then check for Set Container ACL calls around the time and see if some permissions are changing.
    Thursday, July 2, 2015 5:58 PM

All replies

  • Hi GalanB,

    I see that you are trying to give public access to your blob container but the property resets to OFF mode and gives no access to public.

    Are you setting the permission programmatically ? Would you share the code if possible.

    The below is one of the approaches that works 

    var blobContainer = GetPhotoBlobContainer(); 
    blobContainer
    .CreateIfNotExists(); 
    var perm = new BlobContainerPermissions(); 
    perm
    .PublicAccess = BlobContainerPublicAccessType.Blob; 
    blobContainer
    .SetPermissions(perm);

    The above code is from the reference a Forum here  I see that we can use a Shared Access Signature to make a resource accessible to users. see Shared access signature that might be helpful.

    I am afraid this needs a deeper investigation to find out the cause on why the container permissions are resetting. I would recommend you to create a support ticket so that the corresponding engineer can look into your storage account properties and fiddler traces etc  to assist in resolving the query.

    Regards,

    Shirisha Paderu

    Tuesday, June 30, 2015 3:38 PM
    Moderator
  • Hi, Shirisha.

    The code is quite simple and it works:

    CloudBlobContainer container = blobClient.GetContainerReference(path.Segments[1]);
    container.SetPermissions(new BlobContainerPermissions { PublicAccess = BlobContainerPublicAccessType.Blob });
    

    And the setting stays for days or weeks, and then out of nowhere we discover some of them have changed. We have no other code anywhere that works with the permissions, and I'm the only person with access to the storage account.

    It sounds like opening a support ticket is the right path for now. I'll create one.

    Thanks,

    Galan

    Tuesday, June 30, 2015 3:56 PM
  • hi GalanB,

    This is very unlikely to be a bug in the service  but we never know and this has to be investigated.  Creating support ticket should be right choice for now and request you to write back here on any findings or workaround that can help others who has similar issues.

    Regards,

    Shirisha Paderu


    Wednesday, July 1, 2015 10:26 AM
    Moderator
  • I would recommend enabling Analytics and specifically logging. We could then check for Set Container ACL calls around the time and see if some permissions are changing.
    Thursday, July 2, 2015 5:58 PM