.Net客户端应用程序访问Azure Data Lake时的AccessControlException [英] AccessControlException when .Net Client App accessing Azure Data Lake
问题描述
我正在尝试使用我已经在AAD租户中注册了客户端应用,并从那里使用了客户端ID和客户端密码(我认为这是服务到服务的身份验证.)
I have registered the Client App in AAD Tenant and using the Client Id and Client secret from there (as what i believe is service-to-service authentication.)
Data Lake处于不同的订阅中,但属于同一租户/AAD
The Data Lake is in a different subscription but belongs to the same Tenant/AAD
该应用在所有者"和分配的权限"下具有读取/写入/执行权限 用于数据湖中的特定文件夹(根文件夹下有两个层次结构).直到根目录的父文件夹都具有此处.该应用程序在访问控制(IAM)"中的总体级别访问为阅读器"
The App has Read/Write/Execute permission under 'Owner' and 'Assigned Permissions' for the specific folder (two hierarchies down the root folder) in the datalake. The parent folders upto the root have Execute permissions as mentioned here. The overall level access in 'Access Control (IAM)' for the app is 'Reader'
我收到以下错误,我认为这意味着我可以进行身份验证,但没有足够的权限来读取读/写:
I get the following error which I believe means I am able to authenticate but do not have enough permissions to read the read/write:
Microsoft.Azure.DataLake.Store.AdlsException: Error opening a Read Stream for file something/something/something.txt
Operation: GETFILESTATUS failed with HttpStatus:Forbidden RemoteException: AccessControlException GETFILESTATUS failed with
error 0x83090aa2 (Forbidden. ACL verification failed. Either the resource does not exist or the user is not authorized to
perform the requested operation.).
[***][***] JavaClassName: org.apache.hadoop.security.AccessControlException.
Last encountered exception thrown after 1 tries. [Forbidden: AccessControlException]
[ServerRequestId:***]
我不明白缺少哪些其他权限? 我必须在这里使用服务主体吗?如果是这样,我该如何检查该数据湖上我的应用程序的服务主体的访问权限. 谢谢.
I fail to understand what other permissions are missing? Do I have to use service principals here? If so how do I check what is the acess for my App's service principal on this data lake. Thanks.
推荐答案
答案是-是的,您必须使用服务主体.
The answer is - Yes you have to user Service Principals.
基本上,Azure在后台使用服务主体ID来授权Data Lake中的数据访问.如果您使用应用程序ID,则会在Data Lake Folder的访问"刀片上看到与您的应用程序相同的显示名称",并错误地认为您具有访问权限.
Basically Azure uses Service Principle ID in the background to authorize data access in Data Lake. If you use the Application ID, you will see the same 'Display Name' for you application on the Data Lake Folder's 'Access' blade, and wrongly think you have access.
因此,请确保使用服务主体ID而非应用程序ID来授予ACL访问权限.
So make sure to use Service Principal ID and not the Application ID to grant ACL access.
这篇关于.Net客户端应用程序访问Azure Data Lake时的AccessControlException的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
