使用 Azure CLI 将用户权限添加到 Data Lake Store Gen2 文件夹

Question

We would like to set specific rights to an enterprise application in DataLake Gen2 using Azure CLI in our deployment Pipeline. We use powersehell 7.0 and the az storage extension.

I can set rights for users, groups and other via cli, but not for a specific user. This user must must have a contributor role (rw-)

I have tried to set the rights:

az extension add --name storage-preview
az storage blob directory access set -a "default:$user::rw-" -d $dirname -c $filesystemName --account-name $storageaccountname

But it trows the error:'error":{"code":"InvaldAccessControlList","message":"The access control list value is invalid'

When run

az storage blob directory access show -d $dirname  -c $filesystemName  --account-name $storageaccountname

{
  "acl": "user::rwx,group::r-x,other::---,default:user::rw-,default:group::r-x,default:other::---",
  "group": "dummy000-0000-0000-00000000000",
  "owner": "$superuser",
  "permissions": "rwxr-x---+"
}

It looks like i can't set specific rights this way. I can't use the portal. Is there a CLI command which i can use. The documentation is not very clear about this.

Answer 1

I read the linux documentation about ACL's and changed the command as follows:

#Get Object ID from the aplicationID:
$user = az ad sp show --id dummy000-0000-0000-00000000000 --query objectId 

# set default rights to the application and strip the quotes from the objectid
$set = "default:user:"+$user.Replace("`"","")+":rw-"

#set the default rights (child items and new as well):
az storage blob directory access set -a $set -d $dirname -c $filesystemName --account-name $storageaccountname

#check rights:
az storage blob directory access show -d $dirname  -c $filesystemName  --account-name $storageaccountname

You could use an ad emailadress as a user as well.