For ADLS Gen2 Storage Accounts authorization is based on combination of RBAC Roles and ACLS, you can read more details on ADLS Gen2 Access Control Model here and here.ACLs only available for ADLS Gen2 can be used to apply fine grained access control rules on levels below container (or FileSystem is another term used for containers in ADLS Gen2 Storage Accounts).You can read more about Data Plane RBAC roles here. RBAC Roles are applicable to both Azure Blob Storage as well as the ADLS Gen2 - Storage Blob Data Owner, Storage Blob Data Contributor and Storage Blob Data Reader are the RBAC roles meant for Data Operations.You can read more about Shared Access Signature method here.ĭata Plane Operations - RBAC Roles and ACLs (ACLs only for ADLS Gen2) In certain documentation you might see Shared Access Signature is another category but I view that as another layer on top of the above top categories and I don’t see it as a separate category. Azure AD - This is the preferred method in enterprise scenarios where individual users have identities in a centralized Identity and Access Management system and use their own identity to access the data in the Storage Account hence accurate audit trail can be captured.The challenge with this method is that it’s a “shared” key, if two distinct users have access to the Shared Key and access the data in Storage Account there is no clear way to distinguish between access by User A or User B in the audit logs (accurate audit trail is a common requirement in enterprise scenarios especially Regulated Industries). Shared Access Key - This is the simpler method where an Access key can be used to access data from the Storage Account. The authorization for Azure Blob Storage can be put into two broad categories: As far as this article goes the most important aspect of ADLS Gen2 is that it allows much more fine-grained access control (ACL) in comparison to Azure Blob Storage Account with Hierarchical Namespace setting disabled.ĪDLS Gen2 is nothing but Azure Blob Storage with Hierarchical Namespace setting enabled, you can check if an existing Storage Account is ADLS Gen2 or plain Blob storage from Configuration Setting tab as shown in the screenshot below.Īuthorization for Azure Blob Storage (including ADLS Gen2) I will touch up on some concepts to build the background in case you are new to Azure Platform or Azure Storage, even if you are familiar with Azure Storage concepts it might be a good idea to have a quick glance over this section.Īzure Blob Storage (including Azure Data Lake Gen2)Īzure Storage Accounts include Azure Files, Azure Queues, Azure Tables and Azure Disks (you can read more about different Azure Storage services here) but in this article here I focus primarily on Azure Blob Storage including Azure Data Lake Gen2 (referred to as ADLS Gen2).ĪDLS Gen2 can be thought of a specific configuration of Azure Blob Storage with a few additional features meant for enterprise big data analytics. So, in this post I will go over some intricate details on how Azure Storage Explorer operates and share guidance around levels of Azure AD permissions needed by users for the various options available in Azure Storage Explorer. In the enterprise environments with strict Access Control and Audit requirements the default easy to use options of Azure Storage Explorer might require more permissions than deemed acceptable by the Security Administrators. ObjectiveĪzure Storage Explorer is an easy to use GUI tool for working with Azure Storage data, behind the scenes it uses AzCopy for all data transfer operations. The purpose of this article is to share some practical guidance (or best practices, usually I refrain from using the term best practices because everything is relatively new) around Azure AD Authorization for users to access data stored in Azure Storage Account when using Azure Storage Explorer. Guidance for using Azure Storage Explorer with Azure AD authorization for Azure Storage Data Access
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |