使用 Azure 存储资源管理器管理 Azure Data Lake Storage Gen2 中的目录、文件和 ACLUse Azure Storage Explorer to manage directories, files, and ACLs in Azure Data Lake Storage Gen2

本文介绍了如何使用 Azure 存储资源管理器在启用了分层命名空间 (HNS) 的存储帐户中创建和管理目录、文件与权限。This article shows you how to use Azure Storage Explorer to create and manage directories, files, and permissions in storage accounts that has hierarchical namespace (HNS) enabled.

先决条件Prerequisites

  • Azure 订阅。An Azure subscription. 请参阅获取 Azure 的试用订阅See Get Azure trial.
  • 一个已启用分层命名空间 (HNS) 的存储帐户。A storage account that has hierarchical namespace (HNS) enabled. 这些说明创建一个。Follow these instructions to create one.
  • 已在本地计算机上安装了 Azure 存储资源管理器。Azure Storage Explorer installed on your local computer. 若要安装适用于 Windows、Macintosh 或 Linux 的 Azure 存储资源管理器,请参阅 Azure 存储资源管理器To install Azure Storage Explorer for Windows, Macintosh, or Linux, see Azure Storage Explorer.

登录到存储资源管理器Sign in to Storage Explorer

首次启动存储资源管理器时,将会显示“Microsoft Azure 存储资源管理器 - 连接” 窗口。When you first start Storage Explorer, the Microsoft Azure Storage Explorer - Connect window appears. 尽管存储资源管理器提供了几种连接到存储帐户的方法,但是目前只有一种方法支持管理 ACL。While Storage Explorer provides several ways to connect to storage accounts, only one way is currently supported for managing ACLs.

任务Task 目的Purpose
添加 Azure 帐户Add an Azure Account 将你重定向到组织的登录页,向 Azure 进行身份验证。Redirects you to your organization's sign-in page to authenticate you to Azure. 目前,如果想管理和设置 ACL,这是唯一支持的身份验证方法。Currently this is the only supported authentication method if you want to manage and set ACLs.
使用连接字符串或共享访问签名 URIUse a connection string or shared access signature URI 可用于通过 SAS 令牌或共享连接字符串直接访问容器或存储帐户。Can be used to directly access a container or storage account with a SAS token or a shared connection string.
使用存储帐户名称和密钥Use a storage account name and key 使用存储帐户的存储帐户名称和密钥连接到 Azure 存储。Use the storage account name and key of your storage account to connect to Azure storage.

选择“添加 Azure 帐户” ,并单击“登录” 。遵照屏幕提示登录到 Azure 帐户。Select Add an Azure Account and click Sign in... Follow the on-screen prompts to sign into your Azure account.

此屏幕截图显示了 Microsoft Azure 存储资源管理器,并突出显示了“添加 Azure 帐户”选项和“登录”按钮。

完成连接后,将会加载 Azure 存储资源管理器并显示“资源管理器”选项卡。 When it completes connecting, Azure Storage Explorer loads with the Explorer tab shown. 以下视图可以查看通过 Azure 存储模拟器Cosmos DB 帐户或 Azure Stack 环境配置的所有 Azure 存储帐户和本地存储。This view gives you insight to all of your Azure storage accounts as well as local storage configured through the Azurite storage emulator, Cosmos DB accounts, or Azure Stack environments.

“Microsoft Azure 存储资源管理器 - 连接”窗口

创建容器Create a container

容器用来存储目录和文件。A container holds directories and files. 若要创建容器,请展开在前面的步骤中创建的存储帐户。To create one, expand the storage account you created in the proceeding step. 选择并右键单击“Blob 容器”,然后选择“创建 Blob 容器”。 Select Blob Containers, right-click and select Create Blob Container. 输入容器的名称。Enter the name for your container. 有关对容器进行命名的规则和限制的列表,请参阅创建容器部分。See the Create a container section for a list of rules and restrictions on naming containers. 完成后,请按 Enter 创建容器。When complete, press Enter to create the container. 成功创建容器后,该容器将显示在所选存储帐户的“Blob 容器”文件夹下。 Once the container has been successfully created, it is displayed under the Blob Containers folder for the selected storage account.

Microsoft Azure 存储资源管理器 - 创建容器

创建目录Create a directory

若要创建目录,请选择在前面的步骤中创建的容器。To create a directory, select the container that you created in the proceeding step. 在容器功能区中,选择“新建文件夹” 按钮。In the container ribbon, choose the New Folder button. 输入目录的名称。Enter the name for your directory. 完成后,按 Enter 以创建目录。When complete, press Enter to create the directory. 成功创建目录后,它将显示在编辑器窗口中。Once the directory has been successfully created, it appears in the editor window.

Microsoft Azure 存储资源管理器 - 创建目录

将 blob 上传到目录Upload blobs to the directory

在目录功能区上,选择“上传” 按钮。On the directory ribbon, chose the Upload button. 此操作提供上传文件夹或文件的选项。This operation gives you the option to upload a folder or a file.

选择要上传的文件或文件夹。Choose the files or folder to upload.

Microsoft Azure 存储资源管理器 - 上传 Blob

选择“确定”后,选定的文件会排队等待上传,然后上传每个文件。 When you select OK, the files selected are queued to upload, each file is uploaded. 上传完成后,结果将显示在“活动”窗口中。 When the upload is complete, the results are shown in the Activities window.

查看目录中的 BlobView blobs in a directory

在 Azure 存储资源管理器应用程序的存储帐户下选择一个目录 。In the Azure Storage Explorer application, select a directory under a storage account. 主窗格会显示一个列表,包含所选目录中的所有 Blob。The main pane shows a list of the blobs in the selected directory.

Microsoft Azure 存储资源管理器 - 列出目录中的所有 Blob

下载 BlobDownload blobs

若要使用 Azure 存储资源管理器 下载文件,请选择所需的文件,然后在功能区中选择“下载”。 To download files by using Azure Storage Explorer, with a file selected, select Download from the ribbon. 此时将打开文件对话框,可在其中输入文件名。A file dialog opens and provides you the ability to enter a file name. 选择“保存”,开始将文件下载到本地位置。 Select Save to start the download of a file to the local location.

管理访问权限Managing access

可以在容器的根目录中设置权限。You can set permissions at the root of your container. 为此,你必须使用有权执行此操作的个人帐户登录到 Azure 存储资源管理器(而不是使用连接字符串)。To do so, you must be logged into Azure Storage Explorer with your individual account with rights to do so (as opposed to with a connection string). 右键单击容器,然后选择“管理权限”,打开“管理权限”对话框 。Right-click your container and select Manage Permissions, bringing up the Manage Permission dialog box.

Microsoft Azure 存储资源管理器 - 管理目录访问权限

“管理权限”对话框可以管理所有者和所有者组的权限 。The Manage Permission dialog box allows you to manage permissions for owner and the owners group. 它还可以将新用户和组添加访问控制列表中,然后你可以管理其权限。It also allows you to add new users and groups to the access control list for whom you can then manage permissions.

要将新用户或组添加到访问控制列表中,请选择“添加用户或组”字段 。To add a new user or group to the access control list, select the Add user or group field.

输入要添加到列表中的相应 Azure Active Directory (AAD) 条目,然后选择“添加” 。Enter the corresponding Azure Active Directory (AAD) entry you wish to add to the list and then select Add.

用户或组随即出现在“用户和组:”字段中,然后便可开始管理其权限 。The user or group will now appear in the Users and groups: field, allowing you to begin managing their permissions.

备注

建议的最佳做法是在 AAD 中创建安全组并维护组而不是单个用户的权限。It is a best practice, and recommended, to create a security group in AAD and maintain permissions on the group rather than individual users. 有关此建议以及其他最佳做法的详细信息,请参阅 Data Lake Storage Gen2 的最佳做法For details on this recommendation, as well as other best practices, see best practices for Data Lake Storage Gen2.

有两类权限可以分配:访问 ACL 和默认 ACL。There are two categories of permissions you can assign: access ACLs and default ACLs.

  • 访问权限:访问 ACL 控制对某个对象的访问权限。Access: Access ACLs control access to an object. 文件和目录都具有访问 ACL。Files and directories both have access ACLs.

  • 默认:与目录关联的 ACL 模板,用于确定在该目录下创建的任何子项的访问 ACL。Default: A template of ACLs associated with a directory that determines the access ACLs for any child items that are created under that directory. 文件没有默认 ACL。Files do not have default ACLs.

在这两个类别中,你可以对文件或目录分配三种权限:“读取”、“写入”和“执行” 。Within both of these categories, there are three permissions you can then assign on files or directories: Read, Write, and Execute.

备注

在此处进行选择不会对目录中任何当前存在的项设置权限。Making selections here will not set permissions on any currently existing item inside the directory. 如果文件已存在,则必须转到每个项并手动设置权限。You must go to each individual item and set the permissions manually, if the file already exists.

由于可以管理各个目录以及各个文件的权限,因此可以实现细化访问控制。You can manage permissions on individual directories, as well as individual files, which are what allows you fine grained access control. 管理目录和文件的权限的过程与上述过程相同。The process for managing permissions for both directories and files is the same as described above. 右键单击要管理权限的文件或目录,然后按照相同的过程进行操作。Right-click the file or directory you wish to manage permissions on and follow the same process.

后续步骤Next steps

了解 Data Lake Storage Gen2 中的访问控制列表。Learn access control lists in Data Lake Storage Gen2.