Skip to content

Commit c458cdc

Browse files
authored
Merge pull request #111006 from normesta/normesta-sdk-interop
Updating PowerShell doc with more examples:
2 parents 0b35386 + 339fef3 commit c458cdc

File tree

1 file changed

+40
-6
lines changed

1 file changed

+40
-6
lines changed

articles/storage/blobs/data-lake-storage-directory-file-acl-powershell.md

Lines changed: 40 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ author: normesta
66
ms.service: storage
77
ms.subservice: data-lake-storage-gen2
88
ms.topic: conceptual
9-
ms.date: 04/02/2020
9+
ms.date: 04/10/2020
1010
ms.author: normesta
1111
ms.reviewer: prishet
1212
---
@@ -265,16 +265,15 @@ You can use the `-Force` parameter to remove the file without a prompt.
265265

266266
## Manage access permissions
267267

268-
You can get, set, and update access permissions of file systems, directories and files.
268+
You can get, set, and update access permissions of file systems, directories and files. These permissions are captured in access control lists (ACLs).
269269

270270
> [!NOTE]
271271
> If you're using Azure Active Directory (Azure AD) to authorize commands, then make sure that your security principal has been assigned the [Storage Blob Data Owner role](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#storage-blob-data-owner). To learn more about how ACL permissions are applied and the effects of changing them, see [Access control in Azure Data Lake Storage Gen2](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-access-control).
272272
273-
### Get permissions
273+
### Get an ACL
274274

275275
Get the ACL of a directory or file by using the `Get-AzDataLakeGen2Item`cmdlet.
276276

277-
278277
This example gets the ACL of a **file system** and then prints the ACL to the console.
279278

280279
```powershell
@@ -306,7 +305,7 @@ The following image shows the output after getting the ACL of a directory.
306305

307306
In this example, the owning user has read, write, and execute permissions. The owning group has only read and execute permissions. For more information about access control lists, see [Access control in Azure Data Lake Storage Gen2](data-lake-storage-access-control.md).
308307

309-
### Set or update permissions
308+
### Set an ACL
310309

311310
Use the `set-AzDataLakeGen2ItemAclObject` cmdlet to create an ACL for the owning user, owning group, or other users. Then, use the `Update-AzDataLakeGen2Item` cmdlet to commit the ACL.
312311

@@ -354,7 +353,7 @@ The following image shows the output after setting the ACL of a file.
354353
In this example, the owning user and owning group have only read and write permissions. All other users have write and execute permissions. For more information about access control lists, see [Access control in Azure Data Lake Storage Gen2](data-lake-storage-access-control.md).
355354

356355

357-
### Set permissions on all items in a file system
356+
### Set ACLs on all items in a file system
358357

359358
You can use the `Get-AzDataLakeGen2Item` and the `-Recurse` parameter together with the `Update-AzDataLakeGen2Item` cmdlet to recursively to set the ACL of all directories and files in a file system.
360359

@@ -365,6 +364,41 @@ $acl = set-AzDataLakeGen2ItemAclObject -AccessControlType group -Permission rw-
365364
$acl = set-AzDataLakeGen2ItemAclObject -AccessControlType other -Permission -wx -InputObject $acl
366365
Get-AzDataLakeGen2ChildItem -Context $ctx -FileSystem $filesystemName -Recurse | Update-AzDataLakeGen2Item -Acl $acl
367366
```
367+
### Add or update an ACL entry
368+
369+
First, get the ACL. Then, use the `set-AzDataLakeGen2ItemAclObject` cmdlet to add or update an ACL entry. Use the `Update-AzDataLakeGen2Item` cmdlet to commit the ACL.
370+
371+
This example creates or updates the ACL on a **directory** for a user.
372+
373+
```powershell
374+
$filesystemName = "my-file-system"
375+
$dirname = "my-directory/"
376+
$acl = (Get-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystemName -Path $dirname).ACL
377+
$acl = set-AzDataLakeGen2ItemAclObject -AccessControlType user -EntityID xxxxxxxx-xxxx-xxxxxxxxxxx -Permission r-x -InputObject $acl
378+
Update-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystemName -Path $dirname -Acl $acl
379+
```
380+
381+
### Remove an ACL entry
382+
383+
This example removes an entry from an existing ACL.
384+
385+
```powershell
386+
$id = "xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
387+
388+
# Create the new ACL object.
389+
[Collections.Generic.List[System.Object]]$aclnew =$acl
390+
391+
foreach ($a in $aclnew)
392+
{
393+
if ($a.AccessControlType -eq "User"-and $a.DefaultScope -eq $false -and $a.EntityId -eq $id)
394+
{
395+
$aclnew.Remove($a);
396+
break;
397+
}
398+
}
399+
Update-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystemName -Path $dirname -Acl $aclnew
400+
```
401+
368402
<a id="gen1-gen2-map" />
369403

370404
## Gen1 to Gen2 Mapping

0 commit comments

Comments
 (0)