安全性最佳实践Azure Data Lake创建 [英] Security best practices Azure Data Lake creation
问题描述
我试图为组织内的数据湖提供一个ARM模板。希望只有一个数据湖,然后是下面的各种文件夹结构来代表各个业务领域。
目前,我正专注于通过ARM模板创建数据湖然后将在适当的文件夹结构上进行。我已经完成了Azure Data Lake的最佳实践,一旦创建了湖,就会讨论创建安全组
。
1。谁应该是Data Lake的所有者?鉴于它是企业范围的,特定的应用程序ID或应用程序特定的组不能是所有者。我相信所有者自动设置为创建数据湖的AAD帐户,在这种情况下,
将执行ARM模板的帐户。理想情况下应该有其他所有者或角色吗?我们举一个例子。
如果我的结构是
/Finance/assets/2018/04/01/SomeFile.avro
然后,应该为编写这些AVRO文件的应用程序的服务主体授予Data Lake根目录的执行权限,然后在/ Finance上读取/写入权限。
我已经尝试过这种方式用于事件中心的数据捕获功能,直到我将Microsoft.EventHubs的执行权限授予root,它一直给我一个访问被拒绝的错误。
Doesn这意味着每次我们带来一个需要写入数据的应用程序时,必须在root上授予执行权限。当它在root上被授予Execute时,它也会对其他主题
区域具有相同的执行权限,如果这些主题区域很大,那么它可能需要很长时间。这是正确的观察吗?
2。是否应该在ARM模板中定义安全性,或者在部署后作为特殊的附加脚本执行,如Microsoft在有关ADL安全性的最佳实践文档中讨论的PowerShell脚本?
现在,我有一个ARM模板减去安全位,因此寻找最好的方法指示。
提前致谢。
编辑:我在这里浏览了Melissa Coates非常详细和精彩的博客 < span style =""> https://www.sqlchick.com/entries/2018/3/16/assigning-resource-management-permissions-for-azure-data-lake-store-part-2
它确实提到"通常,需要访问数据的自动化流程(在
中讨论 第3部分 ),不需要任何访问ADLS资源的权限本身",那么为什么事件
集线器的捕获需要资源上的执行(ADL)。
Hi Saugat,
有关Azure Data Lake Storage Gen2的安全建议,请参阅以下文档:
https:// docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-best-practices#security-considerations
希望这会有所帮助。
Hi,
Am trying to come up with an ARM template for a data lake within the organization. Hopefully there would be just one data lake and then various folder structures beneath to represent the various business areas.
For the time being, I am concentrating on creation of the data lake through an ARM template and later on appropriate folder structures would be made. I have gone through the best practices of Azure Data Lake which talks about creation of security groups as soon as you create the lake.
1. Who should be the owner of the Data Lake? Given that it is enterprise wide , specific application IDs or app specific groups can't be the owner. I believe the owner is auto set to the AAD account which creates the data lake, in this case the account which will execute the ARM template. Should ideally there be other owners or roles? Let's take an example.
If my structure is
/Finance/assets/2018/04/01/SomeFile.avro
Then the service principal for the application writing those AVRO files should be granted Execute permissions on the root of the Data Lake and then read/write permissions on /Finance.
I have tried this way for the Data Capture feature of the Event Hub and till I granted Execute permissions to Microsoft.EventHubs to the root, it kept giving me an access denied error.
Doesn't that mean that every time, we come with an application that needs to write data, it must be granted Execute permissions on the root. And when it is granted Execute on the root, then it will also have the same execute permissions on the other subjects areas and if those subject areas are huge, then it could potentially take a really long time. Is that a correct observation?
2. Should the security be then defined in the ARM template or be executed as a special add-on script post deployment like a PowerShell script which Microsoft talks about in the best practices document regarding ADL security?
Right now, I have an ARM template minus the security bit and thus looking for pointers as to how best to go about it.
Thanks in advance.
EDIT: I have gone through Melissa Coates's very detailed and nice blog here https://www.sqlchick.com/entries/2018/3/16/assigning-resource-management-permissions-for-azure-data-lake-store-part-2
and it does mention that "Typically, automated processes which do need access to the data (discussed in Part 3), don't need any access to the ADLS resource itself", then why is it that the capture for an event hub needs a Execute on the resource (ADL).
Hi Saugat,
Please refer the following doc for security recommendations on Azure Data Lake Storage Gen2 :
https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-best-practices#security-considerations
Hope this helps.
这篇关于安全性最佳实践Azure Data Lake创建的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
