使用服务主体从 Azure Function 连接到 Data Lake Gen 2 会引发 AuthorizationPermissionMismatch 错误

Question

我正在尝试使用为从 Azure Function（使用服务总线主题触发器）访问 Data Lake Gen 2 而创建的服务主体连接到 Data Lake Gen 2 帐户（使用服务总线主题触发器）此服务主体与 Z3A580F142203673F58 等服务正常工作。 但是，当我尝试使用相同的服务主体从 Azure function 连接时，它会引发 AuthorizationPermissionMismatch 错误。

仅允许从 Azure Function 访问数据湖的服务主体或托管标识。

我正在遵循以下 Microsoft 文档页面中提到的代码：

https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-directory-file-acl-dotnet#connect-by-using-azure-active-directory-azure-ad

我使用下面的 Python 示例作为参考，因为我没有得到端到端 C# 示例：

https://docs.microsoft.com/en-us/azure/developer/python/tutorial-deploy-serverless-cloud-etl-05

function代码如下：

using System;
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Host;
using Microsoft.Extensions.Logging;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using System.Threading.Tasks;
using Azure.Storage.Files.DataLake;
using Azure.Storage.Files.DataLake.Models;
using System.Collections.Generic;

namespace FunctionApp1
{
    public class Function1
    {


        [FunctionName("Function1")]
        public async Task RunAsync([ServiceBusTrigger("service_bus_name", "subscription_name", Connection = "shared_access_key_connection_name")] string mySbMsg, ILogger log)
        {

            string accountName = "";
            string clientID = "";
            string clientSecret = "";
            string tenantID = "";
            var credential = new ClientSecretCredential(
    tenantID, clientID, clientSecret, new TokenCredentialOptions());
            string dfsUri = "https://" + accountName + ".dfs.core.windows.net";


            DataLakeServiceClient dataLakeServiceClient = new DataLakeServiceClient(new Uri(dfsUri), credential);
            string adls_fsys_name = "";
            DataLakeFileSystemClient fileSystemClient = dataLakeServiceClient.GetFileSystemClient(adls_fsys_name);
            await ListFilesInDirectory(fileSystemClient);
            log.LogInformation($"C# ServiceBus topic trigger function processed message: {mySbMsg}");
        }

        public async Task ListFilesInDirectory(DataLakeFileSystemClient fileSystemClient)
        {
            string adls_dir_name = "";
            IAsyncEnumerator<PathItem> enumerator =
                fileSystemClient.GetPathsAsync(adls_dir_name).GetAsyncEnumerator();

            await enumerator.MoveNextAsync();

            PathItem item = enumerator.Current;

            while (item != null)
            {
                Console.WriteLine(item.Name);

                if (!await enumerator.MoveNextAsync())
                {
                    break;
                }

                item = enumerator.Current;
            }

        }
    }
}

我得到的错误是：

2022-09-08T15:27:19.792 [Error] Executed 'Function1' (Failed, Id=c8d7cc56-f8df-4d51-b9ff-254dbe9d39b6, Duration=1166ms)This request is not authorized to perform this operation using this permission.RequestId:2b1dba4b-501f-00b8-2f97-c3d425000000Time:2022-09-08T15:27:19.7122855ZStatus: 403 (This request is not authorized to perform this operation using this permission.)ErrorCode: AuthorizationPermissionMismatchContent:{"error":{"code":"AuthorizationPermissionMismatch","message":"This request is not authorized to perform this operation using this permission.\nRequestId:2b1dba4b-501f-00b8-2f97-c3d425000000\nTime:2022-09-08T15:27:19.7122855Z"}}Headers:Server: Windows-Azure-HDFS/1.0,Microsoft-HTTPAPI/2.0x-ms-error-code: AuthorizationPermissionMismatchx-ms-request-id: 2b1dba4b-501f-00b8-2f97-c3d425000000x-ms-version: 2021-08-06x-ms-client-request-id: 7bfa87f0-16ab-44e3-b4b3-84a62b1222c8Date: Thu, 08 Sep 2022 15:27:19 GMTContent-Length: 227Content-Type: application/json; charset=utf-8

Answer 1

状态：403（此请求无权使用此权限执行此操作。）错误代码：AuthorizationPermissionMismatchContent:{"error":{"code":"AuthorizationPermissionMismatch","message":"此请求无权执行此操作使用此权限。\nRequestId:2b1dba4b-501f-00b8-2f97-c3d425000000\nTime:2022-09-08T15:27:19.7122855Z"}}

出现上述 403 错误，您可能没有对 azure function 授予适当的权限，并且您可能没有在存储数据湖 Gen 2 帐户中分配角色。

出于服务主体身份验证的目的，您需要在存储帐户中分配角色。

• 存储 Blob 数据参与者 -写入权限
• 存储 Blob 数据读取器 -读取权限

Azure 门户 -> 存储帐户-> 访问控制 (IAM)-> 添加角色分配-> 存储 blob 参与者角色。

检查存储帐户中的防火墙设置：

在网络中，如果您是公开访问，请启用 select 所有网络，或者如果您启用了选定的网络，请添加虚拟网络。

参考： 在 Azure Data Lake Storage Gen2 - Azure 数据工厂和 Azure 中复制和转换数据 微软文档