You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/machine-learning/how-to-administrate-data-authentication.md
+17-3Lines changed: 17 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -24,13 +24,14 @@ Learn how to manage data access and how to authenticate in Azure Machine Learnin
24
24
> This article is intended for Azure administrators who want to create the required infrastructure for an Azure Machine Learning solution.
25
25
26
26
## Credential-based data authentication
27
-
In general, credential-based data authentication from studio involves these checks:
27
+
In general, credential-based data authentication involves these checks:
28
28
* Does the user who is accessing data from the credential-based datastore have been assigned a RBAC role containing `Microsoft.MachineLearningServices/workspaces/datastores/listsecrets/action`?
29
29
- This permission is required to retrieve credentials from the datastore on behalf of the user.
30
30
* Does the stored credential (service principal, account key, or sas token) have access to the data resource?
31
31
32
+
32
33
## Identity-based data authentication
33
-
In general, identity-based data authentication from studio involves these checks:
34
+
In general, identity-based data authentication involves these checks:
34
35
35
36
* Which user wants to access the resources?
36
37
- Depending on the conext the data is being accessed, different types of authentication are available, for example
@@ -49,7 +50,12 @@ In general, identity-based data authentication from studio involves these checks
49
50
- The storage account [Reader](../role-based-access-control/built-in-roles.md#reader) reads the storage metadata.
50
51
- The [Storage Blob Data Contributor](../role-based-access-control/built-in-roles.md#storage-blob-data-contributor) reads, writes, and deletes Azure Storage containers and blobs.
51
52
- Please find more [Azure built-in roles for storage here](../role-based-access-control/built-in-roles/storage.md).
52
-
53
+
54
+
55
+
## VNET specific checks for authetication
56
+
57
+
58
+
53
59
## Other general checks for authetication
54
60
* Where does the access come from?
55
61
- User: Is the client IP address in the VNet/subnet range?
@@ -78,6 +84,14 @@ This table lists the identities to use for specific scenarios:
78
84
| Access from Job | Yes/No | Compute MSI |
79
85
| Access from Notebook | Yes/No | User's identity |
80
86
87
+
| Configuration | SDK Local | Job | Dataset Preview | Datastore browse | Notebook VM |
88
+
| -- | -- | -- | -- | -- | -- |
89
+
| Credential + Workspace MSI | Credential | Credential | Workspace MSI | Credential (Only Account key and SAS token) | Credential | Notebook VM |
90
+
| No Credential + Workspace MSI | User Identity | Compute MSI/User identity | Workspace MSI | User identity | User identity |
91
+
| Credential + No Workspace MSI | Credential | Credential | Credential | Credential (Only Account key and SAS token) | Credential |
92
+
| No Credential + No Workspace MSI | User Identity | Compute MSI/User identity | User Identity | User Identity | User Identity |
93
+
94
+
81
95
Data access is complex and it involves many pieces. For example, data access from Azure Machine Learning studio is different compared to use of the SDK for data access. When you use the SDK in your local development environment, you directly access data in the cloud. When you use studio, you don't always directly access the data store from your client. Studio relies on the workspace to access data on your behalf.
0 commit comments