You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/data-lake-store/data-lake-store-access-control.md
+42-42Lines changed: 42 additions & 42 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
-
title: Overview of access control in Data Lake Store | Microsoft Docs
3
-
description: Understand how access control works in Azure Data Lake Store
2
+
title: Overview of access control in Data Lake Storage Gen1 | Microsoft Docs
3
+
description: Understand how access control works in Azure Data Lake Storage Gen1
4
4
services: data-lake-store
5
5
documentationcenter: ''
6
6
author: nitinme
@@ -15,9 +15,9 @@ ms.date: 03/26/2018
15
15
ms.author: nitinme
16
16
17
17
---
18
-
# Access control in Azure Data Lake Store
18
+
# Access control in Azure Data Lake Storage Gen1
19
19
20
-
Azure Data Lake Store implements an access control model that derives from HDFS, which in turn derives from the POSIX access control model. This article summarizes the basics of the access control model for Data Lake Store. To learn more about the HDFS access control model, see [HDFS Permissions Guide](https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html).
20
+
Azure Data Lake Storage Gen1 implements an access control model that derives from HDFS, which in turn derives from the POSIX access control model. This article summarizes the basics of the access control model for Data Lake Storage Gen1. To learn more about the HDFS access control model, see [HDFS Permissions Guide](https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html).
21
21
22
22
## Access control lists on files and folders
23
23
@@ -27,11 +27,11 @@ There are two kinds of access control lists (ACLs), **Access ACLs** and **Defaul
27
27
28
28
***Default ACLs**: A "template" of ACLs associated with a folder that determine the Access ACLs for any child items that are created under that folder. Files do not have Default ACLs.
29
29
30
-
30
+
31
31
32
32
Both Access ACLs and Default ACLs have the same structure.
33
33
34
-
34
+
35
35
36
36
37
37
@@ -50,7 +50,7 @@ Every file and folder has distinct permissions for these identities:
50
50
* Named groups
51
51
* All other users
52
52
53
-
The identities of users and groups are Azure Active Directory (Azure AD) identities. So unless otherwise noted, a "user," in the context of Data Lake Store, can either mean an Azure AD user or an Azure AD security group.
53
+
The identities of users and groups are Azure Active Directory (Azure AD) identities. So unless otherwise noted, a "user," in the context of Data Lake Storage Gen1, can either mean an Azure AD user or an Azure AD security group.
54
54
55
55
## Permissions
56
56
@@ -60,7 +60,7 @@ The permissions on a filesystem object are **Read**, **Write**, and **Execute**,
60
60
|------------|-------------|----------|
61
61
|**Read (R)**| Can read the contents of a file | Requires **Read** and **Execute** to list the contents of the folder|
62
62
|**Write (W)**| Can write or append to a file | Requires **Write** and **Execute** to create child items in a folder |
63
-
|**Execute (X)**| Does not mean anything in the context of Data Lake Store| Required to traverse the child items of a folder |
63
+
|**Execute (X)**| Does not mean anything in the context of Data Lake Storage Gen1| Required to traverse the child items of a folder |
64
64
65
65
### Short forms for permissions
66
66
@@ -76,29 +76,29 @@ The permissions on a filesystem object are **Read**, **Write**, and **Execute**,
76
76
77
77
### Permissions do not inherit
78
78
79
-
In the POSIX-style model that's used by Data Lake Store, permissions for an item are stored on the item itself. In other words, permissions for an item cannot be inherited from the parent items.
79
+
In the POSIX-style model that's used by Data Lake Storage Gen1, permissions for an item are stored on the item itself. In other words, permissions for an item cannot be inherited from the parent items.
80
80
81
81
## Common scenarios related to permissions
82
82
83
-
Following are some common scenarios to help you understand which permissions are needed to perform certain operations on a Data Lake Store account.
83
+
Following are some common scenarios to help you understand which permissions are needed to perform certain operations on a Data Lake Storage Gen1 account.
84
84
85
85
### Permissions needed to read a file
86
86
87
-
87
+
88
88
89
89
* For the file to be read, the caller needs **Read** permissions.
90
90
* For all the folders in the folder structure that contain the file, the caller needs **Execute** permissions.
91
91
92
92
### Permissions needed to append to a file
93
93
94
-
94
+
95
95
96
96
* For the file to be appended to, the caller needs **Write** permissions.
97
97
* For all the folders that contain the file, the caller needs **Execute** permissions.
98
98
99
99
### Permissions needed to delete a file
100
100
101
-
101
+
102
102
103
103
* For the parent folder, the caller needs **Write + Execute** permissions.
104
104
* For all the other folders in the file’s path, the caller needs **Execute** permissions.
@@ -112,24 +112,24 @@ Following are some common scenarios to help you understand which permissions are
112
112
113
113
### Permissions needed to enumerate a folder
114
114
115
-
115
+
116
116
117
117
* For the folder to enumerate, the caller needs **Read + Execute** permissions.
118
118
* For all the ancestor folders, the caller needs **Execute** permissions.
119
119
120
120
## Viewing permissions in the Azure portal
121
121
122
-
From the **Data Explorer** blade of the Data Lake Store account, click **Access** to see the ACLs for the file or folder being viewed in the Data Explorer. Click **Access** to see the ACLs for the **catalog** folder under the **mydatastore** account.
122
+
From the **Data Explorer** blade of the Data Lake Storage Gen1 account, click **Access** to see the ACLs for the file or folder being viewed in the Data Explorer. Click **Access** to see the ACLs for the **catalog** folder under the **mydatastore** account.
123
123
124
-
124
+
125
125
126
126
On this blade, the top section shows the owners permissions. (In the screenshot, the owning user is Bob.) Following that, the assigned Access ACLs are shown.
127
127
128
-
128
+
129
129
130
130
Click **Advanced View** to see the more advanced view, where the Default ACLs, mask, and a description of super-users are shown. This blade also provides a way to recursively set Access and Default ACLs for child files and folders based on the permissions of the current folder.
131
131
132
-
132
+
133
133
134
134
## The super-user
135
135
@@ -139,13 +139,13 @@ A super-user has the most rights of all the users in the Data Lake Store. A supe
139
139
* Can change the permissions on any file or folder.
140
140
* Can change the owning user or owning group of any file or folder.
141
141
142
-
In Azure, a Data Lake Store account has several Azure roles, including:
142
+
In Azure, a Data Lake Storage Gen1 account has several Azure roles, including:
143
143
144
144
* Owners
145
145
* Contributors
146
146
* Readers
147
147
148
-
Everyone in the **Owners** role for a Data Lake Store account is automatically a super-user for that account. To learn more, see [Role-based access control](../role-based-access-control/role-assignments-portal.md).
148
+
Everyone in the **Owners** role for a Data Lake Storage Gen1 account is automatically a super-user for that account. To learn more, see [Role-based access control](../role-based-access-control/role-assignments-portal.md).
149
149
If you want to create a custom role-based-access control (RBAC) role that has super-user permissions, it needs to have the following permissions:
@@ -167,9 +167,9 @@ The user who created the item is automatically the owning user of the item. An o
167
167
168
168
In the POSIX ACLs, every user is associated with a "primary group." For example, user "alice" might belong to the "finance" group. Alice might also belong to multiple groups, but one group is always designated as her primary group. In POSIX, when Alice creates a file, the owning group of that file is set to her primary group, which in this case is "finance."
169
169
170
-
When a new filesystem item is created, Data Lake Store assigns a value to the owning group.
170
+
When a new filesystem item is created, Data Lake Storage Gen1 assigns a value to the owning group.
171
171
172
-
***Case 1**: The root folder "/". This folder is created when a Data Lake Store account is created. In this case, the owning group is set to the user who created the account.
172
+
***Case 1**: The root folder "/". This folder is created when a Data Lake Storage Gen1 account is created. In this case, the owning group is set to the user who created the account.
173
173
***Case 2** (Every other case): When a new item is created, the owning group is copied from the parent folder.
174
174
175
175
The owning group otherwise behaves similarly to assigned permissions for other users/groups.
@@ -183,9 +183,9 @@ The owning group can be changed by:
183
183
184
184
## Access check algorithm
185
185
186
-
The following illustration represents the access check algorithm for Data Lake Store accounts.
186
+
The following illustration represents the access check algorithm for Data Lake Storage Gen1 accounts.
187
187
188
-
188
+
189
189
190
190
191
191
## The mask and "effective permissions"
@@ -198,18 +198,18 @@ The **mask** is an RWX value that is used to limit access for **named users**, t
198
198
199
199
Let's look at some examples. In the following example, the mask is set to **RWX**, which means that the mask does not remove any permissions. The effective permissions for the named user, owning group, and named group are not altered during the access check.
200
200
201
-
201
+
202
202
203
203
In the following example, the mask is set to **R-X**. This means that it **turns off the Write permissions** for **named user**, **owning group**, and **named group** at the time of access check.
204
204
205
-
205
+
206
206
207
207
For reference, here is where the mask for a file or folder appears in the Azure portal.
208
208
209
-
209
+
210
210
211
211
> [!NOTE]
212
-
> For a new Data Lake Store account, the mask for the Access ACL of the root folder ("/") defaults to RWX.
212
+
> For a new Data Lake Storage Gen1 account, the mask for the Access ACL of the root folder ("/") defaults to RWX.
213
213
>
214
214
>
215
215
@@ -224,7 +224,7 @@ When a new file or folder is created under an existing folder, the Default ACL o
224
224
225
225
When a child file or folder is created, the parent's Default ACL is copied as the Access ACL of the child file or folder. Also, if **other** user has RWX permissions in the parent's default ACL, it is removed from the child item's Access ACL.
226
226
227
-
227
+
228
228
229
229
In most scenarios, the previous information is all you need to know about how a child item’s Access ACL is determined. However, if you are familiar with POSIX systems and want to understand in-depth how this transformation is achieved, see the section [Umask’s role in creating the Access ACL for new files and folders](#umasks-role-in-creating-the-access-acl-for-new-files-and-folders) later in this article.
230
230
@@ -233,17 +233,17 @@ In most scenarios, the previous information is all you need to know about how a
233
233
234
234
When a child folder is created under a parent folder, the parent folder's Default ACL is copied over as is to the child folder's Default ACL.
235
235
236
-
236
+
237
237
238
-
## Advanced topics for understanding ACLs in Data Lake Store
238
+
## Advanced topics for understanding ACLs in Data Lake Storage Gen1
239
239
240
-
Following are some advanced topics to help you understand how ACLs are determined for Data Lake Store files or folders.
240
+
Following are some advanced topics to help you understand how ACLs are determined for Data Lake Storage Gen1 files or folders.
241
241
242
242
### Umask’s role in creating the Access ACL for new files and folders
243
243
244
244
In a POSIX-compliant system, the general concept is that umask is a 9-bit value on the parent folder that's used to transform the permission for **owning user**, **owning group**, and **other** on the Access ACL of a new child file or folder. The bits of a umask identify which bits to turn off in the child item’s Access ACL. Thus it is used to selectively prevent the propagation of permissions for **owning user**, **owning group**, and **other**.
245
245
246
-
In an HDFS system, the umask is typically a sitewide configuration option that is controlled by administrators. Data Lake Store uses an **account-wide umask** that cannot be changed. The following table shows the unmask for Data Lake Store.
246
+
In an HDFS system, the umask is typically a sitewide configuration option that is controlled by administrators. Data Lake Storage Gen1 uses an **account-wide umask** that cannot be changed. The following table shows the unmask for Data Lake Storage Gen1.
247
247
248
248
| User group | Setting | Effect on new child item's Access ACL |
@@ -253,13 +253,13 @@ In an HDFS system, the umask is typically a sitewide configuration option that i
253
253
254
254
The following illustration shows this umask in action. The net effect is to remove **Read + Write + Execute** for **other** user. Because the umask did not specify bits for **owning user** and **owning group**, those permissions are not transformed.
255
255
256
-
256
+
257
257
258
258
### The sticky bit
259
259
260
-
The sticky bit is a more advanced feature of a POSIX filesystem. In the context of Data Lake Store, it is unlikely that the sticky bit will be needed.
260
+
The sticky bit is a more advanced feature of a POSIX filesystem. In the context of Data Lake Storage Gen1, it is unlikely that the sticky bit will be needed.
261
261
262
-
The following table shows how the sticky bit works in Data Lake Store.
262
+
The following table shows how the sticky bit works in Data Lake Storage Gen1.
@@ -268,13 +268,13 @@ The following table shows how the sticky bit works in Data Lake Store.
268
268
269
269
The sticky bit is not shown in the Azure portal.
270
270
271
-
## Common questions about ACLs in Data Lake Store
271
+
## Common questions about ACLs in Data Lake Storage Gen1
272
272
273
-
Here are some questions that come up often about ACLs in Data Lake Store.
273
+
Here are some questions that come up often about ACLs in Data Lake Storage Gen1.
274
274
275
275
### Do I have to enable support for ACLs?
276
276
277
-
No. Access control via ACLs is always on for a Data Lake Store account.
277
+
No. Access control via ACLs is always on for a Data Lake Storage Gen1 account.
278
278
279
279
### Which permissions are required to recursively delete a folder and its contents?
280
280
@@ -306,15 +306,15 @@ Entries in the ACLs are stored as GUIDs that correspond to users in Azure AD. Th
306
306
307
307
A GUID is shown when the user doesn't exist in Azure AD anymore. Usually this happens when the user has left the company or if their account has been deleted in Azure AD.
308
308
309
-
### Does Data Lake Store support inheritance of ACLs?
309
+
### Does Data Lake Storage Gen1 support inheritance of ACLs?
310
310
311
311
No, but Default ACLs can be used to set ACLs for child files and folder newly created under the parent folder.
312
312
313
313
### What is the difference between mask and umask?
314
314
315
315
| mask | umask|
316
316
|------|------|
317
-
| The **mask** property is available on every file and folder. | The **umask** is a property of the Data Lake Store account. So there is only a single umask in the Data Lake Store. |
317
+
| The **mask** property is available on every file and folder. | The **umask** is a property of the Data Lake Storage Gen1 account. So there is only a single umask in the Data Lake Storage Gen1. |
318
318
| The mask property on a file or folder can be altered by the owning user or owning group of a file or a super-user. | The umask property cannot be modified by any user, even a super-user. It is an unchangeable, constant value.|
319
319
| The mask property is used during the access check algorithm at runtime to determine whether a user has the right to perform on operation on a file or folder. The role of the mask is to create "effective permissions" at the time of access check. | The umask is not used during access check at all. The umask is used to determine the Access ACL of new child items of a folder. |
320
320
| The mask is a 3-bit RWX value that applies to named user, owning group, and named group at the time of access check.| The umask is a 9-bit value that applies to the owning user, owning group, and **other** of a new child.|
@@ -339,4 +339,4 @@ No, but Default ACLs can be used to set ACLs for child files and folder newly cr
339
339
340
340
## See also
341
341
342
-
*[Overview of Azure Data Lake Store](data-lake-store-overview.md)
342
+
*[Overview of Azure Data Lake Storage Gen1](data-lake-store-overview.md)
0 commit comments