Open sshah90 opened 3 years ago
storage
Same here !!
@sshah90 you only need to specify one group in acl.
@Juliehzl still getting the same error
@Juliehzl Zunli Hu FTE still getting the same error
May I know the acl string you are using?
az storage fs access set-recursive --acl "group:xxxx-b54c-xxxx-acd1-xxxx:rwx" -p /test -f test --account-name xxxx --account-key xxx
@Juliehzl I am using the above command
Have you ever set acl in the path? You could check current acl status with az storage fs access show
. If you want to change the permission for existing group, please use az storage fs access update-recursive
.
In past I have used az storage fs access set
on the root directory but never used set-recursive
. (I ran az storage fs access show
but didn't see my groups)
Though after running update-recursive
I can see groups at directory permission.
I am still suspect some issue with set-recursive
or maybe the error message needs to be a little more verbose.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.
Author: | sshah90 |
---|---|
Assignees: | Juliehzl |
Labels: | `OKR3.2 Candidate`, `Service Attention`, `Storage`, `feature-request` |
Milestone: | S184 |
Facing same kind of issue and below is the part of pipeline where I am trying to update the ACL as per the user input paramater values. for the tasks setting default and access policies steps , i have the issue.
Here my requirement is that, we have many existing big filesystems which are already assigned with some default and access policies. Now we need to timely update the exising permission of the acl for the securityprinciple or need to add new security principle, which wont affect the existing acl.
So what I read from docs, if we have to set a permission for subdirectory called s3 and its contents, we have to give execute permission for each of the users for the path itself. eg: storageaccount/fs/s1/s2/s3.
when I tried update-recursive command, its working for me , but most of the times its getting timed out as the directories are large and the access is granting recursively.
So I tried for anothr ways of updating the permissions only for the path mentioned, for example, for each users i am inputting and i require rwx permission inside s3 subdirectory,
1) first it should set access default "execute permission for those users tranceive to the location storageaccount/fs/s1/s2/s3 2) set the input permission given (rwx) for the user for the s3 subdirectory.
When I tried set --permission command , i couldnt make the task successfull for updating the permissions.
- stage: Create_ACL
displayName: 'Create the Given ACL'
variables:
- name: directory
value: ${{ parameters.subdirectory }}
jobs:
- deployment: Create_ACL
environment: myenv
displayName: "Creating ACL"
strategy:
runOnce:
deploy:
steps:
- ${{ each user in parameters.userslist }}:
- task: AzureCLI@2
displayName: 'setting Default ACL for Execution permission for ${{ user }}'
inputs:
azureSubscription: 'mysubs'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
acl=default:user:${{ user }}:--x
az storage fs access set --permission=$acl -p / -f ${{parameters.fsname}} --account-name ${{parameters.storagename}} --auth-mode login
- task: AzureCLI@2
displayName: 'setting Access ACL for Execution permission for ${{ user }}'
inputs:
azureSubscription: 'mysubs'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
acl=user:${{ user }}:--x
az storage fs access set --permission=$acl -p / -f ${{parameters.fsname}} --account-name ${{parameters.storagename}} --auth-mode login
- task: AzureCLI@2
displayName: 'setting Default permission for the given fs or Subdirectory for user ${{ user }}'
inputs:
azureSubscription: 'mysubs'
scriptType: 'bash'
scriptLocation: 'inlineScript'
${{ if ne(parameters.subdirectory, ' ') }}:
inlineScript: |
acl=default:user:${{ user }}:${{parameters.permission}}
az storage fs access update-recursive --acl=$acl -p $(directory) -f ${{parameters.fsname}} --account-name ${{parameters.storagename}} --auth-mode login
${{ if eq(parameters.subdirectory, ' ') }}:
inlineScript: |
acl=default:user:${{ user }}:${{parameters.permission}}
az storage fs access update-recursive --acl=$acl -p / -f ${{parameters.fsname}} --account-name ${{parameters.storagename}} --auth-mode login
- task: AzureCLI@2
displayName: 'setting Access permission for the given fs or Subdirectory for user ${{ user }}'
inputs:
azureSubscription: 'mysubs'
scriptType: 'bash'
scriptLocation: 'inlineScript'
${{ if ne(parameters.subdirectory, ' ') }}:
inlineScript: |
acl=user:${{ user }}:${{parameters.permission}}
az storage fs access update-recursive --acl=$acl -p $(directory) -f ${{parameters.fsname}} --account-name ${{parameters.storagename}} --auth-mode login
${{ if eq(parameters.subdirectory, ' ') }}:
inlineScript: |
acl=user:${{ user }}:${{parameters.permission}}
az storage fs access update-recursive --acl=$acl -p / -f ${{parameters.fsname}} --account-name ${{parameters.storagename}} --auth-mode login
Describe the bug
I am trying to give acl permission at root level directory and all child members by following this doc.
Command Name
az storage fs access set-recursive
Errors:
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
az storage fs access set-recursive --acl {} -p {} -f {} --account-name {} --account-key {}
I am running the following command
az storage fs access set-recursive --acl "group:xxxxxx:rwx,group:xxxxx:r-x" -p / -f test --account-name xxxxx --account-key xxxx
Expected Behavior
Command Should grant access to the given AD group to the directory and all child members.
Environment Summary
Additional Context
NA