azure data lake authorization

1
votes

I am new to Azure Data Lake Analytics and am converting a C# batch job to use service to service authentication before submitting stored procedures to Azure Data Lake Analytics. 

public void AuthenticateADLUser()               
{
    //Connect to ADL

    // Service principal / appplication authentication with client secret / key
    SynchronizationContext.SetSynchronizationContext(new SynchronizationContext());           
    cTokenCreds = ApplicationTokenProvider.LoginSilentAsync(strDomain, strWebApp_clientId, strClientSecret).Result;           
    SetupClients(cTokenCreds,  strSubscriptionID);
}



public static void SetupClients(ServiceClientCredentials tokenCreds, string subscriptionId)
{
     _adlaClient = new DataLakeAnalyticsAccountManagementClient(tokenCreds);
     _adlaClient.SubscriptionId = subscriptionId;

     _adlaJobClient = new DataLakeAnalyticsJobManagementClient(tokenCreds);

     _adlsFileSystemClient = new DataLakeStoreFileSystemManagementClient(tokenCreds);
}

Even though I have given it the correct ClientId the error comes back with a different ClientID in the error when I execute the following code: 

var jobInfo = _adlaJobClient.Job.Create(_adlsAccountName, jobId, parameters);.

The error message is:

The client 'e83bb777-f3af-4526-ae34-f5461a5fde1c' with object id 'e83bb777-f3af-4526-ae34-f5461a5fde1c' does not have authorization to perform action 'Microsoft.Authorization/permissions/read' over scope '/subscriptions/a0fb08ca-a074-489c-bed0-....

  1. Why is the ClientID different than the one I used in the code?
  2. Is this a code issue or a permissions issue? I assume that it is code since the ClientID is not an authorized one that I created.

note: The SubscriptionId is correct.

2
c#azureazure-data-lake

2 Answers

0
votes

I assumed you created an Azure Active Directory App and are you the client and domain IDs of this app. If not, you'll need that... If you do have that, then can you check if the App has permissions over your Data Lake Store: https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-authenticate-using-active-directory

0
votes

Had exactly same symptoms. WebApp was created in AAD in portal originally to access Azure Data Lake Store and same code-snippet worked perfectly. When I decided to re-use same WebApp (clientid/secret) it failed with same error, even though I have given reader/contributor roles on sub/RG/ADLA to the App.

I think the reason is that WebApp underneath has a "service principal" object (thus error msg shows different object id) and ADLA uses it for some reason. Mine didn't have credentials set - empty result:

Get-AzureRmADSpCredential -objectid <object_id_from_error_msg>

Added new password as described here 

New-AzureRmADSpCredential -objectid <object_id_from_error_msg> -password $password

Used the pwd as secret in LoginSilentAsync, clientId was left as before - WebApp clientId (not the principal object id shown in the error)

I wasn't able to find this principal info in portal, only PS.