Blob data contributor role and chmod

[woutderuiter]

Hi all,

Lately, we have been trying to incorporate blobfuse in a pipeline and we have observed some issues. We gave the service principal the Storage Blob Data Contributor role and reading data works fine. But whenever we want to write a file in a directory we get an input/output error.

Further investigation into the syslog shows that the blobfuse driver issues a chmod call to the API, which is denied with a 403 since we did not assign the Storage Blob Data Owner role. However, we do not really care about the mode of the written file. Is there any option to prevent the blobfuse driver from changing the permissions or do we have to assign the Storage Blob Data Owner role?

Kind regards and thanks in advance for the help,
Wout de Ruiter

[vibhansa-msft]

Are you using a HNS enabled account ?
'chmod' is silently ignored by Blobfuse2 for non-HNS account.
For HNS account it will call SetAccessControl API and if your SPN does not have the auth to perform that it will fail.

[woutderuiter]

Thanks for your reply!
The storage account IS HNS enabled, and the exact problem is that the chmod is not silently ignored but very loudly denied.

Here a quick printout of the error we get

Sep 18 22:44:01 0821-082352-1icss1pb-10-38-9-5 blobfuse2[852]: LOG_ERR [datalake.go (613)]: Datalake::ChangeMod : Failed to change mode of file results/existing_locations/test.html to -rw-r--r-- [-> github.com/Azure/azure-storage-azcopy/v10/azbfs.newStorageError, /home/cloudtest/go/pkg/mod/github.com/!azure/azure-storage-azcopy/v10@v10.19.1-0.20230717101935-ab8ff0a85e48/azbfs/zc_storage_error.go:41#012===== RESPONSE ERROR (ServiceCode=AuthorizationPermissionMismatch) =====#012Description=403 This request is not authorized to perform this operation using this permission., Details: (none)#012   PUT https://xxxxxx.dfs.core.windows.net/selfservice-user-data/results/existing_locations/test.html?action=setAccessControl&timeout=901#012   Authorization: xxxxx#012   User-Agent: [Azure-Storage-Fuse/2.1.0 (Ubuntu 22.04.3 LTS) Azure-Storage/0.1 (go1.20.5; linux)]#012   X-Http-Method-Override: [PATCH]#012   X-Ms-Client-Request-Id: [4b618313-d18c-4d2a-715f-c9fc590e861c]#012   X-Ms-Group: []#012   X-Ms-Owner: []#012   X-Ms-Permissions: [rw-r--r--]#012   X-Ms-Version: [2018-11-09]#012   --------------------------------------------------------------------------------#012   RESPONSE Status: 403 This request is not authorized to perform this operation using this permission.#012   Content-Length: [227]#012   Content-Type: [application/json;charset=utf-8]#012   Date: [Mon, 18 Sep 2023 22:44:01 GMT]#012   Server: [Windows-Azure-HDFS/1.0 Microsoft-HTTPAPI/2.0]#012   X-Ms-Error-Code: [AuthorizationPermissionMismatch]#012   X-Ms-Request-Id: [db2d8b08-301f-0005-6c81-ea9404000000]#012   X-Ms-Version: [2018-11-09]#012#012#012]

But basically you suggest that for a HNS enabled account we should just assign a Storage Blob Data Owner role and that the Storage Blob Data Contributor role is just not enough?

[vibhansa-msft]

"Silently Ignored" only for non-HNS account. You are getting "loudly denied" as HNS is enabled :)
For the role front you need to assign something that allows you to change the permissions/ACLs of a blob so "Data owner" might do the trick along with "Blob Data Contributor" role.
One possible workaround might be to not instruct blobfuse that you are on a HNS account and set "blob" endpoint. This might not allow you to do certain operations (which HNS enabled accounts let you do) but if wish to only upload/downlaod data that shall work fine.

[woutderuiter]

I also thought I could trick the driver into thinking it was connecting to a non-HNS account, using the options you suggested. Unfortunately, it was not tricked that easily and the mounting operation failed.

But thanks for the help. We will solve our issue by assigning the Storage Blob Data Owner role. Have a nice day!