Tuesday, March 24, 2026

 The following sample script illustrates how to acl containers and folders inside an Azure Data Lake Storage so that users with only Reader control plane access can be allowed access at a fine-granular level.

Script begins:

subscriptionid=%1

az account set --subscription "$subscriptionid"

accountkey=%2

accountname=%3

cradle=%4

domesticrw=%5

domesticro=%6

globalro=%7

globalrw=%8

if ! [[ "$domesticrw" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$ ]]; then

  echo "translating domesticrw=$domesticrw"

  domesticrw=$(az ad group list --filter "displayName eq '$domesticrw'" --query "[0].id" --output tsv)

  echo "domesticrw=$domesticrw"

fi

if ! [[ "$domesticro" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$ ]]; then

  echo "translating domesticrw=$domesticro"

  domesticrw=$(az ad group list --filter "displayName eq '$domesticro'" --query "[0].id" --output tsv)

  echo "domesticro=$domesticro"

fi

if ! [[ "$globalrw" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$ ]]; then

  echo "translating globalrw=$globalrw"

  domesticrw=$(az ad group list --filter "displayName eq '$globalrw'" --query "[0].id" --output tsv)

  echo "globalrw=$globalrw"

fi

if ! [[ "$globalro" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$ ]]; then

  echo "translating globalrw=$globalro"

  domesticrw=$(az ad group list --filter "displayName eq '$globalro'" --query "[0].id" --output tsv)

  echo "globalro=$globalro"

fi

echo "create container, if not exists"

az storage container create -n $cradle --account-name "$accountname" --account-key "$accountkey"

echo "container exists, acling..."

az storage fs access set --acl "group:"$globalrw":r-x,group:"$globalro":r-x,group:"$domesticro":r-x" -p "/" -f "$cradle" --account-name "$accountname" --account-key "$accountkey"

az storage fs access update-recursive --acl "group:"$domesticrw":rwx,default:user:"$domesticrw":rwx" -p "/" -f "$cradle" --account-name "$accountname" --account-key "$accountkey"

echo "container acl'ed."

echo "creating global and domestic folders..."

az storage fs directory create -n domestic -f "$cradle" --account-name "$accountname" --account-key "$accountkey" --only-show-errors

az storage fs directory create -n global -f "$cradle" --account-name "$accountname" --account-key "$accountkey" --only-show-errors

echo "folders exist, acling..."

[[ -n "$domesticrw" ]] && az storage fs access update-recursive --acl "group:"$domesticrw":rwx,default:user:"$domesticrw":rwx" -p "domestic" -f "$cradle" --account-name "$accountname" --account-key "$accountkey"

[[ -n "$domesticro" ]] && az storage fs access update-recursive --acl "group:"$domesticro":r-x,default:user:"$domesticro":r-x" -p "domestic" -f "$cradle" --account-name "$accountname" --account-key "$accountkey"

[[ -n "$globalrw" ]] && az storage fs access update-recursive --acl "group:"$globalrw":rwx,default:user:"$globalrw":rwx" -p "global" -f "$cradle" --account-name "$accountname" --account-key "$accountkey"

[[ -n "$globalro" ]] && az storage fs access update-recursive --acl "group:"$globalro":r-x,default:user:"$globalro":r-x" -p "global" -f "$cradle" --account-name "$accountname" --account-key "$accountkey"

echo "folders acl'ed."


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)