使用 PowerShell 管理 Azure Data Lake Storage Gen2 中的 ACLUse PowerShell to manage ACLs in Azure Data Lake Storage Gen2

本文介绍如何使用 PowerShell 来获取、设置和更新目录和文件的访问控制列表。This article shows you how to use PowerShell to get, set, and update the access control lists of directories and files.

ACL 继承已可用于在父目录下创建的新子项。ACL inheritance is already available for new child items that are created under a parent directory. 但是你也可以为父目录的现有子项以递归方式添加、更新和删除 ACL,而不必为每个子项单独进行这些更改。But you can also add, update, and remove ACLs recursively on the existing child items of a parent directory without having to make these changes individually for each child item.

参考 | 递归 ACL 示例 | 提供反馈Reference | Recursive ACL Samples | Give feedback

先决条件Prerequisites

  • Azure 订阅。An Azure subscription. 请参阅获取 Azure 试用版See Get Azure trial.

  • 一个已启用分层命名空间 (HNS) 的存储帐户。A storage account that has hierarchical namespace (HNS) enabled. 这些说明创建一个。Follow these instructions to create one.

  • Azure CLI 版本 2.6.0 或更高版本。Azure CLI version 2.6.0 or higher.

  • 以下安全权限之一:One of the following security permissions:

    • 一个预配的 Azure Active Directory (AD) 安全主体,它在目标容器父资源组或订阅范围中分配有存储 Blob 数据所有者角色。A provisioned Azure Active Directory (AD) security principal that has been assigned the Storage Blob Data Owner role in the scope of the either the target container, parent resource group or subscription.

    • 计划将 ACL 设置应用到的目标容器或目录的拥有用户。Owning user of the target container or directory to which you plan to apply ACL settings. 为了以递归方式设置 ACL,这包括目标容器或目录中的所有子项。To set ACLs recursively, this includes all child items in the target container or directory.

    • 存储帐户密钥。Storage account key.

安装 PowerShell 模块Install the PowerShell module

  1. 使用以下命令验证安装的 PowerShell 版本是否为 5.1 或以上。Verify that the version of PowerShell that have installed is 5.1 or higher by using the following command.

    echo $PSVersionTable.PSVersion.ToString() 
    

    若要升级 PowerShell 版本,请参阅升级现有的 Windows PowerShellTo upgrade your version of PowerShell, see Upgrading existing Windows PowerShell

  2. 安装 Az.Storage 模块。Install Az.Storage module.

    Install-Module Az.Storage -Repository PSGallery -Force  
    

    有关如何安装 PowerShell 模块的详细信息,请参阅安装 Azure PowerShell 模块For more information about how to install PowerShell modules, see Install the Azure PowerShell module

连接到帐户Connect to the account

选择希望命令如何获取存储帐户的授权。Choose how you want your commands to obtain authorization to the storage account.

选项 1:使用 Azure Active Directory (AD) 获取授权Option 1: Obtain authorization by using Azure Active Directory (AD)

备注

若要使用 Azure Active Directory (Azure AD) 来授予访问权限,请确保已为安全主体分配了存储 Blob 数据所有者角色If you're using Azure Active Directory (Azure AD) to authorize access, then make sure that your security principal has been assigned the Storage Blob Data Owner role. 若要详细了解如何应用 ACL 权限以及更改这些权限所带来的影响,请参阅 Azure Data Lake Storage Gen2 中的访问控制模型To learn more about how ACL permissions are applied and the effects of changing them, see Access control model in Azure Data Lake Storage Gen2.

如果使用此方法,系统可确保用户帐户具有适当的 Azure 基于角色的访问控制 (Azure RBAC) 分配和 ACL 权限。With this approach, the system ensures that your user account has the appropriate Azure role-based access control (Azure RBAC) assignments and ACL permissions.

  1. 打开 Windows PowerShell 命令窗口,使用 Connect-AzAccount 命令登录到 Azure 订阅,然后按照屏幕上的指示进行操作。Open a Windows PowerShell command window, and then sign in to your Azure subscription with the Connect-AzAccount command and follow the on-screen directions.

    Connect-AzAccount -Environment AzureChinaCloud
    
  2. 如果你的标识已关联到多个订阅,请将活动订阅设置为要在其中创建和管理目录的存储帐户的订阅。If your identity is associated with more than one subscription, then set your active subscription to subscription of the storage account that you want create and manage directories in. 在此示例中,请将 <subscription-id> 占位符值替换为你的订阅 ID。In this example, replace the <subscription-id> placeholder value with the ID of your subscription.

    Select-AzSubscription -SubscriptionId <subscription-id>
    
  3. 获取存储帐户上下文。Get the storage account context.

    $ctx = New-AzStorageContext -StorageAccountName '<storage-account-name>' -UseConnectedAccount
    

选项 2:使用存储帐户密钥获取授权Option 2: Obtain authorization by using the storage account key

如果使用此方法,系统不会检查 Azure RBAC 或 ACL 权限。With this approach, the system doesn't check Azure RBAC or ACL permissions. 使用帐户密钥获取存储帐户上下文。Get the storage account context by using an account key.

$ctx = New-AzStorageContext -StorageAccountName '<storage-account-name>' -StorageAccountKey '<storage-account-key>'

获取 ACLGet ACLs

使用 Get-AzDataLakeGen2Item cmdlet 获取目录或文件的 ACL。Get the ACL of a directory or file by using the Get-AzDataLakeGen2Itemcmdlet.

此示例获取某个容器根目录的 ACL,然后将该 ACL 输出到控制台。This example gets the ACL of the root directory of a container and then prints the ACL to the console.

$filesystemName = "my-file-system"
$filesystem = Get-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystemName
$filesystem.ACL

此示例获取某个 目录 的 ACL,然后将 ACL 输出到控制台。This example gets the ACL of a directory, and then prints the ACL to the console.

$filesystemName = "my-file-system"
$dirname = "my-directory/"
$dir = Get-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystemName -Path $dirname
$dir.ACL

此示例获取某个 文件 的 ACL,然后将 ACL 输出到控制台。This example gets the ACL of a file and then prints the ACL to the console.

$filePath = "my-directory/upload.txt"
$file = Get-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystemName -Path $filePath
$file.ACL

下图显示了获取目录 ACL 后的输出。The following image shows the output after getting the ACL of a directory.

获取目录的 ACL 输出

在本示例中,负责人用户具有读取、写入和执行权限。In this example, the owning user has read, write, and execute permissions. 负责人组仅具有读取和执行权限。The owning group has only read and execute permissions. 有关访问控制列表的详细信息,请参阅 Azure Data Lake Storage Gen2 中的访问控制For more information about access control lists, see Access control in Azure Data Lake Storage Gen2.

设置 ACLSet ACLs

设置 ACL 时,你将替换整个 ACL,包括其所有条目。When you set an ACL, you replace the entire ACL including all of it's entries. 如果要更改安全主体的权限级别,或将新的安全主体添加到 ACL 而不影响其他现有项,则应改为更新 ACL。If you want to change the permission level of a security principal or add a new security principal to the ACL without affecting other existing entries, you should update the ACL instead. 若要更新 ACL 而不是替换它,请参阅本文的更新 ACL 部分。To update an ACL instead of replace it, see the Update ACLs section of this article.

如果选择设置 ACL,则必须为责任用户添加一个条目,为责任组添加一个条目,为所有其他用户添加一个条目。If you choose to set the ACL, you must add an entry for the owning user, an entry for the owning group, and an entry for all other users. 若要详细了解责任用户、责任组和所有其他用户,请参阅用户和标识To learn more about the owning user, the owning group, and all other users, see Users and identities.

本节介绍如何完成下列操作:This section shows you how to:

  • 设置 ACLSet an ACL
  • 以递归方式设置 ACLSet ACLs recursively

设置 ACLSet an ACL

使用 set-AzDataLakeGen2ItemAclObject cmdlet 为所有者用户、所有者组或其他用户创建 ACL。Use the set-AzDataLakeGen2ItemAclObject cmdlet to create an ACL for the owning user, owning group, or other users. 然后使用 Update-AzDataLakeGen2Item cmdlet 提交 ACL。Then, use the Update-AzDataLakeGen2Item cmdlet to commit the ACL.

此示例针对所有者用户、所有者组或其他用户的容器根目录设置 ACL,然后将 ACL 输出到控制台。This example sets the ACL on the root directory of a container for the owning user, owning group, or other users, and then prints the ACL to the console.

$filesystemName = "my-file-system"
$acl = set-AzDataLakeGen2ItemAclObject -AccessControlType user -Permission rw- 
$acl = set-AzDataLakeGen2ItemAclObject -AccessControlType group -Permission rw- -InputObject $acl 
$acl = set-AzDataLakeGen2ItemAclObject -AccessControlType other -Permission -wx -InputObject $acl
Update-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystemName -Acl $acl
$filesystem = Get-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystemName
$filesystem.ACL

此示例针对所有者用户、所有者组或其他用户的 目录 设置 ACL,然后将 ACL 输出到控制台。This example sets the ACL on a directory for the owning user, owning group, or other users, and then prints the ACL to the console.

$filesystemName = "my-file-system"
$dirname = "my-directory/"
$acl = set-AzDataLakeGen2ItemAclObject -AccessControlType user -Permission rw- 
$acl = set-AzDataLakeGen2ItemAclObject -AccessControlType group -Permission rw- -InputObject $acl 
$acl = set-AzDataLakeGen2ItemAclObject -AccessControlType other -Permission -wx -InputObject $acl
Update-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystemName -Path $dirname -Acl $acl
$dir = Get-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystemName -Path $dirname
$dir.ACL

备注

如果要设置 默认 ACL 条目,请在运行 Set-AzDataLakeGen2ItemAclObject 命令时使用 -DefaultScope 参数。If you want to set a default ACL entry, use the -DefaultScope parameter when you run the Set-AzDataLakeGen2ItemAclObject command. 例如:$acl = set-AzDataLakeGen2ItemAclObject -AccessControlType user -Permission rwx -DefaultScopeFor example: $acl = set-AzDataLakeGen2ItemAclObject -AccessControlType user -Permission rwx -DefaultScope.

此示例针对所有者用户、所有者组或其他用户的 文件 设置 ACL,然后将 ACL 输出到控制台。This example sets the ACL on a file for the owning user, owning group, or other users, and then prints the ACL to the console.

$filesystemName = "my-file-system"
$filePath = "my-directory/upload.txt"
$acl = set-AzDataLakeGen2ItemAclObject -AccessControlType user -Permission rw- 
$acl = set-AzDataLakeGen2ItemAclObject -AccessControlType group -Permission rw- -InputObject $acl 
$acl = set-AzDataLakeGen2ItemAclObject -AccessControlType other -Permission "-wx" -InputObject $acl
Update-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystemName -Path $filePath -Acl $acl
$file = Get-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystemName -Path $filePath
$file.ACL

备注

若要设置特定组或用户的 ACL,请使用其相应的对象 ID。To a set the ACL of a specific group or user, use their respective object IDs. 例如 group:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxuser:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxFor example, group:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx or user:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

下图显示了设置文件 ACL 后的输出。The following image shows the output after setting the ACL of a file.

获取文件的 ACL 输出

在本示例中,负责人用户和负责人组只有读取和写入权限。In this example, the owning user and owning group have only read and write permissions. 所有其他用户都具有写入和执行权限。All other users have write and execute permissions. 有关访问控制列表的详细信息,请参阅 Azure Data Lake Storage Gen2 中的访问控制For more information about access control lists, see Access control in Azure Data Lake Storage Gen2.

以递归方式设置 ACLSet ACLs recursively

使用 Set-AzDataLakeGen2AclRecursive cmdlet 以递归方式设置 ACL。Set ACLs recursively by using the Set-AzDataLakeGen2AclRecursive cmdlet.

此示例设置名为 my-parent-directory 的目录的 ACL。This example sets the ACL of a directory named my-parent-directory. 这些条目为所有者用户提供读取、写入和执行权限,仅为负责人组授予读取和执行权限,不为所有其他用户提供任何访问权限。These entries give the owning user read, write, and execute permissions, gives the owning group only read and execute permissions, and gives all others no access. 此示例中的最后一个 ACL 条目为对象 ID 为“xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”的特定用户提供读取和执行权限。The last ACL entry in this example gives a specific user with the object ID "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" read and execute permissions.

$filesystemName = "my-container"
$dirname = "my-parent-directory/"
$userID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";

$acl = Set-AzDataLakeGen2ItemAclObject -AccessControlType user -Permission rwx 
$acl = Set-AzDataLakeGen2ItemAclObject -AccessControlType group -Permission r-x -InputObject $acl 
$acl = Set-AzDataLakeGen2ItemAclObject -AccessControlType other -Permission "---" -InputObject $acl
$acl = Set-AzDataLakeGen2ItemAclObject -AccessControlType user -EntityId $userID -Permission r-x -InputObject $acl 

Set-AzDataLakeGen2AclRecursive -Context $ctx -FileSystem $filesystemName -Path $dirname -Acl $acl

备注

如果要设置 默认 ACL 条目,请在运行 Set-AzDataLakeGen2ItemAclObject 命令时使用 -DefaultScope 参数。If you want to set a default ACL entry, use the -DefaultScope parameter when you run the Set-AzDataLakeGen2ItemAclObject command. 例如:$acl = set-AzDataLakeGen2ItemAclObject -AccessControlType user -Permission rwx -DefaultScopeFor example: $acl = set-AzDataLakeGen2ItemAclObject -AccessControlType user -Permission rwx -DefaultScope.

若要查看通过指定批大小以递归方式成批设置 ACL 的示例,请查看 Set-AzDataLakeGen2AclRecursive 参考文章。To see an example that sets ACLs recursively in batches by specifying a batch size, see the Set-AzDataLakeGen2AclRecursive reference article.

更新 ACLUpdate ACLs

更新 ACL 时,你将修改 ACL 而非替换 ACL。When you update an ACL, you modify the ACL instead of replacing the ACL. 例如,你可以将一个新的安全主体添加到 ACL,而不影响 ACL 中列出的其他安全主体。For example, you can add a new security principal to the ACL without affecting other security principals listed in the ACL. 若要替换 ACL 而不是更新它,请参阅本文的 设置 ACL 部分。To replace the ACL instead of update it, see the Set ACLs section of this article.

若要更新 ACL,请创建包含要更新的 ACL 条目的一个新的 ACL 对象,然后在“更新 ACL”操作中使用该对象。To update an ACL, create a new ACL object with the ACL entry that you want to update, and then use that object in update ACL operation. 不要获取现有 ACL,只需要提供要更新的 ACL 条目。Do not get the existing ACL, just provide ACL entries to be updated.

本节介绍如何完成下列操作:This section shows you how to:

  • 更新 ACLUpdate an ACL
  • 以递归方式更新 ACLUpdate ACLs recursively

更新 ACLUpdate an ACL

首先,获取 ACL。First, get the ACL. 然后,使用 set-AzDataLakeGen2ItemAclObject cmdlet 添加或更新 ACL 条目。Then, use the set-AzDataLakeGen2ItemAclObject cmdlet to add or update an ACL entry. 使用 Update-AzDataLakeGen2Item cmdlet 提交 ACL。Use the Update-AzDataLakeGen2Item cmdlet to commit the ACL.

此示例创建或更新用户目录的 ACL。This example creates or updates the ACL on a directory for a user.

$filesystemName = "my-file-system"
$dirname = "my-directory/"
$acl = (Get-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystemName -Path $dirname).ACL
$acl = set-AzDataLakeGen2ItemAclObject -AccessControlType user -EntityID xxxxxxxx-xxxx-xxxxxxxxxxx -Permission r-x -InputObject $acl 
Update-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystemName -Path $dirname -Acl $acl

备注

如果要更新 默认 ACL 条目,请在运行 Set-AzDataLakeGen2ItemAclObject 命令时使用 -DefaultScope 参数。If you want to update a default ACL entry, use the -DefaultScope parameter when you run the Set-AzDataLakeGen2ItemAclObject command. 例如:$acl = set-AzDataLakeGen2ItemAclObject -AccessControlType user -EntityID xxxxxxxx-xxxx-xxxxxxxxxxx -Permission r-x -DefaultScopeFor example: $acl = set-AzDataLakeGen2ItemAclObject -AccessControlType user -EntityID xxxxxxxx-xxxx-xxxxxxxxxxx -Permission r-x -DefaultScope.

以递归方式更新 ACLUpdate ACLs recursively

使用 Update-AzDataLakeGen2AclRecursive cmdlet 以递归方式更新 ACL。Update ACLs recursively by using the Update-AzDataLakeGen2AclRecursive cmdlet.

此示例以写入权限更新某个 ACL 条目。This example updates an ACL entry with write permission.

$filesystemName = "my-container"
$dirname = "my-parent-directory/"
$userID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";

$acl = Set-AzDataLakeGen2ItemAclObject -AccessControlType user -EntityId $userID -Permission rwx

Update-AzDataLakeGen2AclRecursive -Context $ctx -FileSystem $filesystemName -Path $dirname -Acl $acl

备注

若要设置特定组或用户的 ACL,请使用其相应的对象 ID。To a set the ACL of a specific group or user, use their respective object IDs. 例如 group:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxuser:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxFor example, group:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx or user:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

若要查看通过指定批大小以递归方式成批更新 ACL 的示例,请查看 Update-AzDataLakeGen2AclRecursive 参考文章。To see an example that updates ACLs recursively in batches by specifying a batch size, see the Update-AzDataLakeGen2AclRecursive reference article.

删除 ACL 条目Remove ACL entries

本节介绍如何完成下列操作:This section shows you how to:

  • 删除 ACL 条目Remove an ACL entry
  • 以递归方式删除 ACL 条目Remove ACL entries recursively

删除 ACL 条目Remove an ACL entry

此示例从现有 ACL 中删除条目。This example removes an entry from an existing ACL.

$id = "xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

# Create the new ACL object.
[Collections.Generic.List[System.Object]]$aclnew =$acl

foreach ($a in $aclnew)
{
    if ($a.AccessControlType -eq "User"-and $a.DefaultScope -eq $false -and $a.EntityId -eq $id)
    {
        $aclnew.Remove($a);
        break;
    }
}
Update-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystemName -Path $dirname -Acl $aclnew

以递归方式删除 ACL 条目Remove ACL entries recursively

你可以采用递归方式删除一个或多个 ACL 条目。You can remove one or more ACL entries recursively. 若要删除 ACL 条目,请为要删除的 ACL 条目创建一个新的 ACL 对象,然后在“删除 ACL”操作中使用该对象。To remove an ACL entry, create a new ACL object for ACL entry to be removed, and then use that object in remove ACL operation. 不要获取现有 ACL,只需要提供要删除的 ACL 条目。Do not get the existing ACL, just provide the ACL entries to be removed.

使用 Remove-AzDataLakeGen2AclRecursive cmdlet 删除 ACL 条目。Remove ACL entries by using the Remove-AzDataLakeGen2AclRecursive cmdlet.

此示例从容器的根目录中删除 ACL 条目。This example removes an ACL entry from the root directory of the container.

$filesystemName = "my-container"
$userID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

$acl = Set-AzDataLakeGen2ItemAclObject -AccessControlType user -EntityId $userID -Permission "---" 

Remove-AzDataLakeGen2AclRecursive -Context $ctx -FileSystem $filesystemName  -Acl $acl

备注

如果要删除 默认 ACL 条目,请在运行 Set-AzDataLakeGen2ItemAclObject 命令时使用 -DefaultScope 参数。If you want to remove a default ACL entry, use the -DefaultScope parameter when you run the Set-AzDataLakeGen2ItemAclObject command. 例如:$acl = set-AzDataLakeGen2ItemAclObject -AccessControlType user -EntityId $userID -Permission "---" -DefaultScopeFor example: $acl = set-AzDataLakeGen2ItemAclObject -AccessControlType user -EntityId $userID -Permission "---" -DefaultScope.

若要查看通过指定批大小以递归方式成批删除 ACL 的示例,请查看 Remove-AzDataLakeGen2AclRecursive 参考文章。To see an example that removes ACLs recursively in batches by specifying a batch size, see the Remove-AzDataLakeGen2AclRecursive reference article.

从故障中恢复Recover from failures

以递归方式修改 ACL 时,可能会遇到运行时错误或权限错误。You might encounter runtime or permission errors when modifying ACLs recursively.

对于运行时错误,请从头开始重启此过程。For runtime errors, restart the process from the beginning. 如果安全主体没有足够的权限修改要修改的目录层次结构中的目录或文件的 ACL,则会出现权限错误。Permission errors can occur if the security principal doesn't have sufficient permission to modify the ACL of a directory or file that is in the directory hierarchy being modified. 请解决权限问题,然后选择通过使用继续标记从故障点继续执行此过程,或者从头重启此过程。Address the permission issue, and then choose to either resume the process from the point of failure by using a continuation token, or restart the process from beginning. 如果希望从头开始重启,则无需使用继续标记。You don't have to use the continuation token if you prefer to restart from the beginning. 你可以重新应用 ACL 条目,而不会产生任何负面影响。You can reapply ACL entries without any negative impact.

此示例将结果返回到变量,然后将失败的条目通过管道传递给已设置格式的表。This example return results to the variable, and then pipes failed entries to a formatted table.

$result = Set-AzDataLakeGen2AclRecursive -Context $ctx -FileSystem $filesystemName -Path $dirname -Acl $acl
$result
$result.FailedEntries | ft 

根据表的输出,你可以修复所有权限错误,然后使用继续标记继续执行。Based on the output of the table, you can fix any permission errors, and then resume execution by using the continuation token.

$result = Set-AzDataLakeGen2AclRecursive -Context $ctx -FileSystem $filesystemName -Path $dirname -Acl $acl -ContinuationToken $result.ContinuationToken
$result

若要查看通过指定批大小以递归方式成批设置 ACL 的示例,请查看 Set-AzDataLakeGen2AclRecursive 参考文章。To see an example that sets ACLs recursively in batches by specifying a batch size, see the Set-AzDataLakeGen2AclRecursive reference article.

如果你希望过程继续完成而不被权限错误中断,则可以指定它。If you want the process to complete uninterrupted by permission errors, you can specify that.

此示例使用 ContinueOnFailure 参数,这样,即使操作遇到权限错误也会继续执行。This example uses the ContinueOnFailure parameter so that execution continues even if the operation encounters a permission error.

$result = Set-AzDataLakeGen2AclRecursive -Context $ctx -FileSystem $filesystemName -Path $dirname -Acl $acl -ContinueOnFailure

echo "[Result Summary]"
echo "TotalDirectoriesSuccessfulCount: `t$($result.TotalFilesSuccessfulCount)"
echo "TotalFilesSuccessfulCount: `t`t`t$($result.TotalDirectoriesSuccessfulCount)"
echo "TotalFailureCount: `t`t`t`t`t$($result.TotalFailureCount)"
echo "FailedEntries:"$($result.FailedEntries | ft) 

若要查看通过指定批大小以递归方式成批设置 ACL 的示例,请查看 Set-AzDataLakeGen2AclRecursive 参考文章。To see an example that sets ACLs recursively in batches by specifying a batch size, see the Set-AzDataLakeGen2AclRecursive reference article.

最佳实践Best practices

本部分提供了有关以递归方式设置 ACL 的一些最佳做法指南。This section provides you some best practice guidelines for setting ACLs recursively.

处理运行时错误Handling runtime errors

发生运行时错误可能有许多原因(例如:中断或客户端连接问题)。A runtime error can occur for many reasons (For example: an outage or a client connectivity issue). 如果遇到运行时错误,请重启递归 ACL 过程。If you encounter a runtime error, restart the recursive ACL process. 可以将 ACL 重新应用于项,而不会造成负面影响。ACLs can be reapplied to items without causing a negative impact.

处理权限错误 (403)Handling permission errors (403)

如果在运行递归 ACL 过程时遇到访问控制异常,则表明 AD 安全主体可能没有足够的权限将 ACL 应用于目录层次结构中的一个或多个子项。If you encounter an access control exception while running a recursive ACL process, your AD security principal might not have sufficient permission to apply an ACL to one or more of the child items in the directory hierarchy. 发生权限错误时,此过程会停止,系统会提供一个继续标记。When a permission error occurs, the process stops and a continuation token is provided. 请修复权限问题,然后使用继续标记来处理剩余的数据集。Fix the permission issue, and then use the continuation token to process the remaining dataset. 已成功处理的目录和文件不需要再次处理。The directories and files that have already been successfully processed won't have to be processed again. 你还可以选择重启递归 ACL 过程。You can also choose to restart the recursive ACL process. 可以将 ACL 重新应用于项,而不会造成负面影响。ACLs can be reapplied to items without causing a negative impact.

凭据Credentials

建议你预配一个在目标存储帐户或容器范围中分配有存储 Blob 数据所有者角色的 Azure AD 安全主体。We recommend that you provision an Azure AD security principal that has been assigned the Storage Blob Data Owner role in the scope of the target storage account or container.

性能Performance

为了减少延迟,建议你在与存储帐户位于同一区域中的 Azure 虚拟机 (VM) 中运行递归 ACL 过程。To reduce latency, we recommend that you run the recursive ACL process in an Azure Virtual Machine (VM) that is located in the same region as your storage account.

ACL 限制ACL limits

可应用于目录或文件的 ACL 的最大数目为 32 个访问 ACL 和 32 个默认 ACL。The maximum number of ACLs that you can apply to a directory or file is 32 access ACLs and 32 default ACLs. 有关详细信息,请参阅 Azure Data Lake Storage Gen2 中的访问控制For more information, see Access control in Azure Data Lake Storage Gen2.

另请参阅See also