This script is designed to allow users of ADLS Gen2 to update ACL assignments in a recursive nature (ie. propogate changes down an entire container or directory branch).
The ADLS ACL mechanism is modeled after the POSIX defacto standard. This mechanism propogates default permission assignments from the containing directory to a newly created object (file or sub-directory) at creation time and thereafter no relationship exists. As a consequence, large-scale changes are difficult to apply, especially as these changes often align to directory structures. The published best practices for management of ACLs; https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-best-practices#use-security-groups-versus-individual-users mitigate this situation by leveraging application of security groups rather than individual users or service principals. However, this approach does not address all requirements for ACL management and therefore this script can be used to make broader changes than can be handled by adjusting group membership.
- The script is written in PowerShell and requires PowerShell >= 5.1.
- A provisioned AAD Service Principal that has been assigned Storage Blob Data Owner role on the target account or container.
- A working understanding of how ACLs are applied and their effect in ADLS Gen2 as described here; https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-access-control
The script has two modes for applying ACL modifications:
- Absolute ACL replacement - this mode will update the ACL of every file or directory to match the ACL string specified in the
$absoluteAcl
variable. - Merge a single Acess Control Entry (ACE) into the existing ACL for an object - this mode will merge the specified principal/permissions tuple (specified via the
$mergePrincipal
,$mergeType
and$mergePerms
variables) into the existing ACL of every file and directory.
Note that when specifying user identities in the ACL, you may specify either the user's User Principal Name (UPN) (eg. [email protected]) or the user's Object ID (OID) (a guid value). When specifying a Service Principal or a Security Group, only the OID may be used.
- Open the PowerShell script recursive-acl-assignment.ps1 in a text editor
- Update the
$clientId
,$clientSecret
and$tenant
variables with the details of the Service Principal as specified in dependency 2. above. All calls to ADLS made by the script will be authenticated using these details. - Update the
$accountName
and$container
with the details of the ADLS account that you wish to update. Optionally, you can update the$rootDir
variable with the path to the directory where you wish to start the update. If you specify a root directory, only files and sub-directories contained below that directory will be processed. If you wish to update the entire container, leave this variable$null
. - If you intend to use absolute update mode, update the
$absoluteAcl
variable with the complete ACL string that you wish to apply to every object. The format of this string is defined in thex-ms-acl
header here; https://docs.microsoft.com/rest/api/storageservices/datalakestoragegen2/path/update. This ACL string must also includedefault
permissions that will be applied to sub-directories. You can optionally include amask
value as well. Additionally, you must assign$mergePrincipal = $null
to specify that you wish to apply an absolute ACL. An example of this string is:
user::rwx,default:user::rwx,group::r-x,default:group::r-x,other::---,default:other::---,mask::rwx,default:mask::rwx,user:[email protected]:rwx,default:user:[email protected]:rwx,group:5117a2b0-f09b-44e9-b92a-fa91a95d5c28:r-x,default:group:5117a2b0-f09b-44e9-b92a-fa91a95d5c28:r-x
- If you wish to merge (or optionally remove) a single ACE into the existing ACL for each object, update the
$mergePrincipal
,$mergeType
and$mergePerms
variables to reflect the values of the ACE you wish to merge. Optionally, assign$removeEntry = $true
to remove any entry containing$mergePrincipal
and$mergeType
from the ACL. - Save the file.
- Invoke the script with the following command-line:
powershell -ExecutionPolicy Bypass -File recursive-acl-assignment.ps1
- Monitor the script's progress and any errors that are raised.