Azure Data Lake Storage (Gen2) : Exploring AAD B2B & ACL hardening

Introduction

In the summer of 2018, the 2nd generation of the Azure Data Lake Storage was announced.  In today’s post, we’ll delve into the authentication & authorization part of this service. We’re going to see how we can leverage AAD to tighten security around our Data Lake.

 

Use Case

To help us in this storyline, we’ll be looking to solve the following use case. A customer has stored a lot of data on its Data Lake, and is looking to provide a “partner” access to a subset of the data. In this use case, what would we need to to to achieve this goal?

 

Azure Data Lake Storage : Access Control Model

The first part of our puzzle is looking at the “Access Control Model“… In essence there are four ways to provide access to the data lake ;

  • Shared Key ; The caller effectively gains ‘super-user’ access, meaning full access to all operations on all resources, including setting owner and changing ACLs
  • SAS Tokens ; The token includes the allowed permissions as part of the token. The permissions included in the SAS token are effectively applied to all authorization decisions, but no additional ACL checks are performed.
  • Azure RBAC ; Azure Role-based Access Control (RBAC) uses role assignments to effectively apply sets of permissions to users, groups, and service principals for Azure resources. Typically, those Azure resources are constrained to top-level resources (e.g., Azure Storage accounts). In the case of Azure Storage, and consequently Azure Data Lake Storage Gen2, this mechanism has been extended to the file system resource.
  • ACL ; And last, but not least, we have the access control list we can apply at a more fine-grained level.

Continue reading “Azure Data Lake Storage (Gen2) : Exploring AAD B2B & ACL hardening”