Azure Data Lake Store - AccessControlException as Owner

3
votes

Under the Access blade in the portal it shows that I am the Owner but it also says

Your Permissions

[email protected]'s effective permissons on this folder are: None

In AAD I can see that that [email protected] is associated with my account, which is listed as "My Name" under Owners.

I am trying to access a folder I created using permissions from a AAD application...

The error I get is:

LISTSTATUS failed with error 0x83090aa2 (Forbidden. ACL verification failed. Either the resource does not exist or the user is not authorized to perform the requested operation.).

When I go into the root folder and go to the access blade, then click "advanced" and try to apply folder permissions to sub-folders (Apply to children button), it says

AccessControlException: SETACL failed with error 0x83090aa2 (Forbidden. ACL verification failed. Either the resource does not exist or the user is not authorized to perform the requested operation.).

Does anyone know how to solve this?

Thank you!

3
azureazure-active-directoryazure-data-lake

3 Answers

0
votes

There are multiple things that are getting mixed up in this question making it difficult to answer. In abstract, here is a general document with an FAQ that explains the entire security model. https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-access-control

Kindly go through it and then perhaps repost/modify with a more specific repro of your problem. Here is the type of information that will make the question more concrete:

  1. Your folder structure to the root
  2. Permissions at each node including owner
  3. Who the access is happening as
  4. Expected and Actual outcome
0
votes

I ran into something similar and thought I'd post for everyone even though it seems like you solved yours.

Problem: Couldn't access folders within ADLS regardless of permission set (only super user could.)

Solution: Found here . As super user go to Data Explorer within ADLS. Then hit the access key on the top bar. Grant permission as desired.

Think they added this extra step so you could be more granular. Prob could use a hint when permission users in ADLS "This doesnt actually allow you to see or do anything...."

0
votes

One of the typical cases when you got "Forbidden" response is that your AAD application does not have "Execute" permissions on all folders hierarchy, started from the root.

E.g. if your folder is /abc/def your AAD app should have Execute permissions for the root: /, /abc and /abc/def to be able to read or write data to /abc/def folder.

You can see how it works in the Overview of access control in Data Lake Storage Gen1