Illustrated Example of Applying ACLs Recursively with Storage Explorer
Scenario:
The Propagate Access Control Lists option is now available in Storage Explorer 1.28.1 or later versions. It is a convenient feature to apply ACL entries recursively on the existing child items of a parent directory without having to make these changes individually for each child item.
Objective:
To demonstrate how ACLs propagation works with the help of the Propagate Access Control Lists option in Storage Explorer 1.28.1+.
Pre-requisites:
For this example, you would need:
- An Azure Data Lake Storage.
- Storage Explorer 1.28.1 or later versions.
Storage File Structure:
How to Propagate ACLs:
To apply ACL entries recursively, open Storage Explorer, right-click the container or a parent directory, and then select Propagate Access Control Lists.
Example:
|
|
propagete-acl-test (root) |
a01 |
a02 |
b01 |
b02 |
c01 |
c02 |
|
--- |
default permission |
default permission |
default permission |
default permission |
default permission |
default permission |
default permission |
|
Add read access for Others for root |
Read access enabled for Others |
<same-as- |
<same-as- |
<same-as- |
<same-as- |
<same-as- |
<same-as- |
|
Propagate root |
<same-as- |
Read access enabled for Others |
Read access enabled for Others |
Read access enabled for Others |
Read access enabled for Others |
Read access enabled for Others |
Read access enabled for Others |
|
Add execute access for Others for a01 |
<same-as- |
Execute access enabled for Others |
<same-as- |
<same-as- |
<same-as- |
<same-as- |
<same-as- |
|
Propagate a01 |
<same-as- |
<same-as- |
<same-as- |
Execute access enabled for Others |
Execute access enabled for Others |
<same-as- |
<same-as- |
|
Add Charles and give him read/execute access for root |
Read access enabled for Others, Charles has read/execute access |
<same-as- |
<same-as- |
<same-as- |
<same-as- |
<same-as- |
<same-as- |
|
Propagate root |
<same-as- |
Read access enabled for Others, Charles has read/execute access |
Read access enabled for Others, Charles has read/execute access |
Read access enabled for Others, Charles has read/execute access |
Read access enabled for Others, Charles has read/execute access |
Read access enabled for Others, Charles has read/execute access |
Read access enabled for Others, Charles has read/execute access |
Conclusion:
This example shows how to propagate ACLs with Storage Explorer 1.28.1. The propagate-acl-test is a container with two levels of directories. I made various modifications (highlighted in BLUE) to the ACLs and clicked the Propagate Access Control Lists button from the Storage Explorer for testing ACLs propagation. The results are summarized in the previous table. You can tell that the "Propagate ACL" option overwrites existing ACLs down the directory tree (highlighted in RED) with the parent ACL settings (highlighted in GREEN).
References:
- https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-explorer-acl#apply-acls-recursively
- https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#does-data-lake-storage-gen2-support-inheritance-of-acls
- https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-acl-cli (you may also use Azure CLI)
-
https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-acl-powershell (you may also use Azure PowerShell)
Published on:
Learn more