Description
Description
Try to authenticate with a service principal in the codes. The service principal has already been given the owner IAM role of the ADLS gen1 storage. Also, it has RWX permission on the folder/files.
But it still fails to remove the ACL entries with the remove_acl_entries() function.
Traceback (most recent call last):
File "C:\Users\xinrantao\PycharmProjects\pythonProject\acl_remove_test.py", line 42, in
main()
File "C:\Users\xinrantao\PycharmProjects\pythonProject\acl_remove_test.py", line 38, in main
adl.remove_acl_entries("/testfolder1", "user:518b91c4-a815-409d-8915-ad6249f5095d", recursive=False, number_of_sub_process=None)
File "C:\Users\xinrantao\AppData\Local\Programs\Python\Python39\lib\site-packages\azure\datalake\store\core.py", line 534, in remove_acl_entries
self._acl_call('REMOVEACLENTRIES', path, acl_spec, invalidate_cache=True)
File "C:\Users\xinrantao\AppData\Local\Programs\Python\Python39\lib\site-packages\azure\datalake\store\core.py", line 459, in _acl_call
to_return = self.azure.call(action, posix_path, **parms)
File "C:\Users\xinrantao\AppData\Local\Programs\Python\Python39\lib\site-packages\azure\datalake\store\lib.py", line 450, in call
self.log_response_and_raise(response, PermissionError(path), level=exception_log_level)
File "C:\Users\xinrantao\AppData\Local\Programs\Python\Python39\lib\site-packages\azure\datalake\store\lib.py", line 358, in log_response_and_raise
raise exception
PermissionError: testfolder1
Reproduction Steps
-
create the service principal, give it the owner IAM role of the ADLS gen1 storage:
-
It has the RWX permission to the folder, which needs to remove the ACL entries:
-
Use the service principal as the authentication, try to remove the ACL entries of this folder from one of the user:
import azure.datalake.store
from azure.datalake.store import lib, core
def authenticate():
RESOURCE = "https://datalake.azure.net/"
tenant = "72f988bf-86f1-41af-91ab-2d7cd011db47"
client_id = "a8e33ec1-afae-4bfa-8a00-1de7b1f74a5f"
client_secret = "xxxxxxxxxxxxxxxxx"
adlCreds = lib.auth(tenant_id=tenant,
client_secret=client_secret,
client_id=client_id,
resource=RESOURCE)
adl = core.AzureDLFileSystem(adlCreds, store_name="xinranadlgen1")
return adl
def remove(path,acl_spec):
adl.remove_acl_entries(path, acl_spec, recursive=True, number_of_sub_process=None)
def version_check():
datalake_store_version = azure.datalake.store.__version__
print("Azure Data Lake Store Version:", datalake_store_version)
def main():
version_check()
adl = authenticate()
print("check before the removal:\n ******************\n", adl.get_acl_status("/testfolder1"))
print("\n ******************\n try with recursive=False: ")
adl.remove_acl_entries("/testfolder1", "user:518b91c4-a815-409d-8915-ad6249f5095d", recursive=False, number_of_sub_process=None)
- it's interesting to find that if giving the owner of this specific folder to this service principal, then it seems to work.
Could you help check what's the minimum permission needed for this action? Is the owner of the folder/file necessary?
If it's necessary, how to give the owner of all the folder/files in a quick way? Because currently it relies on the service principal as authentication to remove all the ACL entries automatically. Thanks!
Environment summary
SDK Version: What version of the SDK are you using? (pip show azure-datalake-store)
Answer here: 0.0.53
Python Version: What Python version are you using? Is it 64-bit or 32-bit?
Answer here: Python 3.9, 64-bit
OS Version: What OS and version are you using?
Answer here: Windows 11
Shell Type: What shell are you using? (e.g. bash, cmd.exe, Bash on Windows)
Answer here: PyCharm