az storage fs access set not working correctly

[zylberl]

Describe the bug

I am trying to modify the ACLs of a specific folder in an ADLS.

The authentication that I'm using is my account that has Blob Data Contributor access into that ADLS.

I used this az cli command:
"az storage fs access update-recursive --acl "user:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:rwx" -p my-parent-directory/ -f my-container --account-name mystorageaccount --auth-mode login"
However, I get the error: "You do not have the required permissions needed to perform this operation. Depending on your operation, you may need to be assigned one of the following roles: "Storage Blob Data Contributor", "Storage Blob Data Reader", "Storage Queue Data Contributor", "Storage Queue Data Reader". If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value."

I tried to do the same using the Microsoft Azure Storage Explorer and it was successfully modified.

Related command

az storage fs access update-recursive --acl "user:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:rwx" -p my-parent-directory/ -f my-container --account-name mystorageaccount --auth-mode login

Errors

You do not have the required permissions needed to perform this operation. Depending on your operation, you may need to be assigned one of the following roles: "Storage Blob Data Contributor", "Storage Blob Data Reader", "Storage Queue Data Contributor", "Storage Queue Data Reader". If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.

Issue script & Debug output

zylberl@H5CG13243J7:~$ az storage fs access update-recursive --file-system lab --path xops/project/xops-playground --account-name edlxops --auth-mode login --acl "group:a3dd4703-b57d-42ad-9a93-36fe60ec4055:rwx" --debug
cli.knack.cli: Command arguments: ['storage', 'fs', 'access', 'update-recursive', '--file-system', 'lab', '--path', 'xops/project/xops-playground', '--account-name', 'edlxops', '--auth-mode', 'login', '--acl', 'group:a3dd4703-b57d-42ad-9a93-36fe60ec4055:rwx', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f01792fe9d0>, <function OutputProducer.on_global_arguments at 0x7f01791eb3a0>, <function CLIQuery.on_global_arguments at 0x7f01791829d0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'storage': ['azure.cli.command_modules.storage']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: storage 0.054 57 269
cli.azure.cli.core: Total (1) 0.054 57 269
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 57 groups, 269 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : storage fs access update-recursive
cli.azure.cli.core: Command table: storage fs access update-recursive
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f017872ed30>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/zylberl/.azure/commands/2023-06-09.16-37-44.storage_fs_access_update-recursive.131.log'.
az_command_data_logger: command args: storage fs access update-recursive --file-system {} --path {} --account-name {} --auth-mode {} --acl {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7f01786d5940>]
/usr/lib/python3/dist-packages/requests/init.py:89: RequestsDependencyWarning: urllib3 (1.26.11) or chardet (3.0.4) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "/home/zylberl/.local/lib/python3.8/site-packages/azure/cli/core/profiles/_shared.py", line 635, in _get_attr
op = getattr(op, part)
AttributeError: module 'azure.mgmt.storage.v2022_09_01.models' has no attribute 'ActiveDirectoryPropertiesAccountType'

cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "/home/zylberl/.local/lib/python3.8/site-packages/azure/cli/core/profiles/_shared.py", line 635, in _get_attr
op = getattr(op, part)
AttributeError: module 'azure.mgmt.storage.v2022_09_01.models' has no attribute 'ListKeyExpand'

cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "/home/zylberl/.local/lib/python3.8/site-packages/azure/cli/core/profiles/_shared.py", line 635, in _get_attr
op = getattr(op, part)
AttributeError: module 'azure.mgmt.storage.v2022_09_01.models' has no attribute 'CorsRuleAllowedMethodsItem'

cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7f01786c11f0>, <function register_cache_arguments..add_cache_arguments at 0x7f01786c1310>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f01791eb430>, <function CLIQuery.handle_query_parameter at 0x7f0179182a60>, <function register_ids_argument..parse_ids_arguments at 0x7f01786c1280>]
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/zylberl/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/zylberl/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/ecaa386b-c8df-4ce0-ad01-740cbdb5ba55/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/ecaa386b-c8df-4ce0-ad01-740cbdb5ba55/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/ecaa386b-c8df-4ce0-ad01-740cbdb5ba55/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/ecaa386b-c8df-4ce0-ad01-740cbdb5ba55/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/ecaa386b-c8df-4ce0-ad01-740cbdb5ba55/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/ecaa386b-c8df-4ce0-ad01-740cbdb5ba55/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/ecaa386b-c8df-4ce0-ad01-740cbdb5ba55/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://storage.azure.com/.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://storage.azure.com/.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: ff3c436f-8469-4f0e-abff-32d9a9842b56
urllib3.connectionpool: Starting new HTTPS connection (1): edlxops.dfs.core.windows.net:443
urllib3.connectionpool: https://edlxops.dfs.core.windows.net:443 "PATCH /lab/xops%2Fproject%2Fxops-playground?action=setAccessControlRecursive&mode=modify HTTP/1.1" 403 227
cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
File "/home/zylberl/.local/lib/python3.8/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
File "/home/zylberl/.local/lib/python3.8/site-packages/azure/cli/core/commands/init.py", line 663, in execute
raise ex
File "/home/zylberl/.local/lib/python3.8/site-packages/azure/cli/core/commands/init.py", line 726, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/home/zylberl/.local/lib/python3.8/site-packages/azure/cli/core/commands/init.py", line 718, in _run_job
return cmd_copy.exception_handler(ex)
File "/home/zylberl/.local/lib/python3.8/site-packages/azure/cli/command_modules/storage/init.py", line 411, in new_handler
first(ex)
File "/home/zylberl/.local/lib/python3.8/site-packages/azure/cli/command_modules/storage/init.py", line 410, in new_handler
raise ex
File "/home/zylberl/.local/lib/python3.8/site-packages/azure/cli/core/commands/init.py", line 697, in _run_job
result = cmd_copy(params)
File "/home/zylberl/.local/lib/python3.8/site-packages/azure/cli/core/commands/init.py", line 333, in call
return self.handler(*args, **kwargs)
File "/home/zylberl/.local/lib/python3.8/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
return op(**command_args)
File "/home/zylberl/.local/lib/python3.8/site-packages/azure/cli/command_modules/storage/operations/fs_directory.py", line 82, in update_access_control_recursive
result = client.update_access_control_recursive(acl=acl, progress_hook=progress_callback, **kwargs)
File "/home/zylberl/.local/lib/python3.8/site-packages/azure/multiapi/storagev2/filedatalake/v2021_08_06/_path_client.py", line 603, in update_access_control_recursive
return self._set_access_control_internal(options=options, progress_hook=progress_hook,
File "/home/zylberl/.local/lib/python3.8/site-packages/azure/multiapi/storagev2/filedatalake/v2021_08_06/_path_client.py", line 713, in _set_access_control_internal
process_storage_error(error)
File "/home/zylberl/.local/lib/python3.8/site-packages/azure/multiapi/storagev2/filedatalake/v2021_08_06/_deserialize.py", line 215, in process_storage_error
exec("raise error from None") # pylint: disable=exec-used # nosec
File "", line 1, in
azure.core.exceptions.HttpResponseError:
You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
"Storage Blob Data Owner"
"Storage Blob Data Contributor"
"Storage Blob Data Reader"
"Storage Queue Data Contributor"
"Storage Queue Data Reader"
"Storage Table Data Contributor"
"Storage Table Data Reader"

If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.

Expected behavior

I expected that RWX access was granted to the group indicated in the command into the folder indicated and the children.

Environment Summary

/usr/lib/python3/dist-packages/requests/init.py:89: RequestsDependencyWarning: urllib3 (1.26.11) or chardet (3.0.4) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
azure-cli 2.44.1 *

core 2.44.1 *
telemetry 1.0.8

Extensions:
azure-devops 0.25.0

Dependencies:
msal 1.20.0
azure-mgmt-resource 21.1.0b1

Python location '/usr/bin/python3'
Extensions directory '/home/zylberl/.azure/cliextensions'

Python (Linux) 3.8.10 (default, Jun 22 2022, 20:18:18)
[GCC 9.4.0]

Legal docs and information: aka.ms/AzureCliLegal

You have 2 update(s) available. Consider updating your CLI installation with 'az upgrade'

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[zylberl]

Hello, is there any estimation on when this is going to be analyzed?
Thanks in advance

[calvinhzy]

To set access for fs with --auth-mode login, the logged-in user needs to either have role [Storage Blob Data Owner] (https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-blob-data-owner) or role [Storage Blob Data Contributor] and be the owner of the container

Please give it another try with this permission

[zylberl]

I changed the role to "Storage Blob Data Owner" and it worked.
Many thanks!

[zylberl]

I close this issue