You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/machine-learning/how-to-administrate-data-authentication.md
+24-12Lines changed: 24 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,22 +23,34 @@ Learn how to manage data access and how to authenticate in Azure Machine Learnin
23
23
> [!IMPORTANT]
24
24
> This article is intended for Azure administrators who want to create the required infrastructure for an Azure Machine Learning solution.
25
25
26
-
In general, data access from studio involves these checks:
26
+
## Credential-based data authentication
27
+
In general, credential-based data authentication from studio involves these checks:
28
+
* Does the user who is accessing data from the credential-based datastore have been assigned a RBAC role containing `Microsoft.MachineLearningServices/workspaces/datastores/listsecrets/action`?
29
+
- This permission is required to retrieve credentials from the datastore on behalf of the user.
30
+
* Does the stored credential (service principal, account key, or sas token) have access to the data resource?
31
+
32
+
## Identity-based data authentication
33
+
In general, identity-based data authentication from studio involves these checks:
27
34
28
35
* Which user wants to access the resources?
29
-
- Depending on the storage type, different types of authentication are available, for example
30
-
- account key
31
-
- token
32
-
- service principal
33
-
- managed identity
36
+
- Depending on the conext the data is being accessed, different types of authentication are available, for example
34
37
- user identity
38
+
- compute managed identity
39
+
- workspace managed identity
40
+
- Jobs, including the dataset "Generate Profile" option, run on a compute resource in __your subscription__, and access the data from that location. The compute managed identity needs permission to the storage resource, instead of the identity of the user that submitted the job.
35
41
- For authentication based on a user identity, you must know *which* specific user tried to access the storage resource. For more information about _user_ authentication, see [authentication for Azure Machine Learning](how-to-setup-authentication.md). For more information about service-level authentication, see [authentication between Azure Machine Learning and other services](how-to-identity-based-service-authentication.md).
36
-
* Does this user have permission?
37
-
- Does the user have the correct credentials? If yes, does the service principal, managed identity, etc., have the necessary permissions for that storage resource? Permissions are granted using Azure role-based access controls (Azure RBAC).
42
+
* Does this user have permission for reading?
43
+
- Does the user identity or the compute managed identity, etc., have the necessary permissions for that storage resource? Permissions are granted using Azure role-based access controls (Azure RBAC).
44
+
- The storage account [Reader](../role-based-access-control/built-in-roles.md#reader) reads the storage metadata.
45
+
- The [Storage Blob Data Reader](../role-based-access-control/built-in-roles.md#storage-blob-data-reader) reads and lists Blob storage containers and blobs.
46
+
- Please find more [Azure built-in roles for storage here](../role-based-access-control/built-in-roles/storage.md).
47
+
* Does this user have permission for writing?
48
+
- Does the user identity or the compute managed identity, etc., have the necessary permissions for that storage resource? Permissions are granted using Azure role-based access controls (Azure RBAC).
38
49
- The storage account [Reader](../role-based-access-control/built-in-roles.md#reader) reads the storage metadata.
39
-
- The [Storage Blob Data Reader](../role-based-access-control/built-in-roles.md#storage-blob-data-reader) reads data within a blob container.
40
-
- The [Contributor](../role-based-access-control/built-in-roles.md#contributor) allows write access to a storage account.
41
-
- More roles may be required, depending on the type of storage.
50
+
- The [Storage Blob Data Contributor](../role-based-access-control/built-in-roles.md#storage-blob-data-contributor) reads, writes, and deletes Azure Storage containers and blobs.
51
+
- Please find more [Azure built-in roles for storage here](../role-based-access-control/built-in-roles/storage.md).
52
+
53
+
## Other general checks for authetication
42
54
* Where does the access come from?
43
55
- User: Is the client IP address in the VNet/subnet range?
44
56
- Workspace: Is the workspace public, or does it have a private endpoint in a VNet/subnet?
@@ -111,4 +123,4 @@ __To use ACLs__, the managed identity of the workspace can be assigned access ju
111
123
112
124
## Next steps
113
125
114
-
For information about enabling studio in a network, see [Use Azure Machine Learning studio in an Azure Virtual Network](how-to-enable-studio-virtual-network.md).
126
+
For information about enabling studio in a network, see [Use Azure Machine Learning studio in an Azure Virtual Network](how-to-enable-studio-virtual-network.md).
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments