使用 Azure 存储资源管理器在 Azure Data Lake Storage Gen2 中管理 ACLUse Azure Storage Explorer to manage ACLs in Azure Data Lake Storage Gen2

本文介绍如何使用 Azure 存储资源管理器在启用了分层命名空间 (HNS) 的存储帐户中管理访问控制列表 (ACL)。This article shows you how to use Azure Storage Explorer to manage access control lists (ACLs) in storage accounts that has hierarchical namespace (HNS) enabled.

可以使用存储资源管理器来查看然后更新目录和文件的 ACL。You can use Storage Explorer to view, and then update the ACLs of directories and files. ACL 继承已可用于在父目录下创建的新子项。ACL inheritance is already available for new child items that are created under a parent directory. 但还可为父目录的现有子项以递归方式应用 ACL 设置,而不必为每个子项单独进行这些更改。But you can also apply ACL settings recursively on the existing child items of a parent directory without having to make these changes individually for each child item.

本文介绍如何修改文件或目录的 ACL,以及如何以递归方式将 ACL 设置应用于子目录。This article shows you how to modify the ACL of file or directory and how to apply ACL settings recursively to child directories.

先决条件Prerequisites

  • Azure 订阅。An Azure subscription. 请参阅获取 Azure 试用版See Get Azure trial.

  • 一个已启用分层命名空间 (HNS) 的存储帐户。A storage account that has hierarchical namespace (HNS) enabled. 这些说明创建一个。Follow these instructions to create one.

  • 已在本地计算机上安装了 Azure 存储资源管理器。Azure Storage Explorer installed on your local computer. 若要安装适用于 Windows、Macintosh 或 Linux 的 Azure 存储资源管理器,请参阅 Azure 存储资源管理器To install Azure Storage Explorer for Windows, Macintosh, or Linux, see Azure Storage Explorer.

备注

在使用 Azure Data Lake Storage Gen2 时,存储资源管理器会使用 Blob (blob) 和 Data Lake Storage Gen2 (dfs) 终结点Storage Explorer makes use of both the Blob (blob) & Data Lake Storage Gen2 (dfs) endpoints when working with Azure Data Lake Storage Gen2. 如果使用专用终结点配置对 Azure Data Lake Storage Gen2 的访问,请确保为存储帐户创建两个专用终结点:一个具有目标子资源 blob,另一个具有目标子资源 dfsIf access to Azure Data Lake Storage Gen2 is configured using private endpoints, ensure that two private endpoints are created for the storage account: one with the target sub-resource blob and the other with the target sub-resource dfs.

登录到存储资源管理器Sign in to Storage Explorer

首次启动存储资源管理器时,将会显示“Microsoft Azure 存储资源管理器 - 连接” 窗口。When you first start Storage Explorer, the Microsoft Azure Storage Explorer - Connect window appears. 尽管存储资源管理器提供了几种连接到存储帐户的方法,但是目前只有一种方法支持管理 ACL。While Storage Explorer provides several ways to connect to storage accounts, only one way is currently supported for managing ACLs.

任务Task 目的Purpose
添加 Azure 帐户Add an Azure Account 将你重定向到组织的登录页,向 Azure 进行身份验证。Redirects you to your organization's sign-in page to authenticate you to Azure. 目前,如果想管理和设置 ACL,这是唯一支持的身份验证方法。Currently this is the only supported authentication method if you want to manage and set ACLs.
使用连接字符串或共享访问签名 URIUse a connection string or shared access signature URI 可用于通过 SAS 令牌或共享连接字符串直接访问容器或存储帐户。Can be used to directly access a container or storage account with a SAS token or a shared connection string.
使用存储帐户名称和密钥Use a storage account name and key 使用存储帐户的存储帐户名称和密钥连接到 Azure 存储。Use the storage account name and key of your storage account to connect to Azure storage.

选择“添加 Azure 帐户” ,并单击“登录” 。遵照屏幕提示登录到 Azure 帐户。Select Add an Azure Account and click Sign in... Follow the on-screen prompts to sign into your Azure account.

此屏幕截图显示了 Microsoft Azure 存储资源管理器,并突出显示了“添加 Azure 帐户”选项和“登录”按钮。

完成连接后,将会加载 Azure 存储资源管理器并显示“资源管理器”选项卡。 When it completes connecting, Azure Storage Explorer loads with the Explorer tab shown. 以下视图可以查看通过 Azure 存储模拟器Cosmos DB 帐户或 Azure Stack 环境配置的所有 Azure 存储帐户和本地存储。This view gives you insight to all of your Azure storage accounts as well as local storage configured through the Azurite storage emulator, Cosmos DB accounts, or Azure Stack environments.

“Microsoft Azure 存储资源管理器 - 连接”窗口

管理 ACLManage an ACL

右键单击容器、目录或文件,然后单击“管理访问控制列表”。Right-click the container, a directory, or a file, and then click Manage Access Control Lists. 下面的屏幕截图显示了右键单击目录时出现的菜单。The following screenshot shows the menu as it appears when you right-click a directory.

在 Azure 存储资源管理器中右键单击目录Right-clicking a directory in Azure Storage Explorer

“管理访问权限”对话框可以管理所有者和所有者组的权限。The Manage Access dialog box allows you to manage permissions for owner and the owners group. 它还可以将新用户和组添加访问控制列表中,然后你可以管理其权限。It also allows you to add new users and groups to the access control list for whom you can then manage permissions.

“管理访问权限”对话框Manage Access dialog box

要将新用户或组添加到访问控制列表中,请选择“添加”按钮。To add a new user or group to the access control list, select the Add button. 然后输入要添加到列表中的相应 Azure Active Directory (Azure AD) 条目,再选择“添加”。Then, enter the corresponding Azure Active Directory (Azure AD) entry you wish to add to the list and then select Add. 用户或组随即出现在“用户和组:”字段中,然后便可开始管理其权限 。The user or group will now appear in the Users and groups: field, allowing you to begin managing their permissions.

备注

建议的最佳做法是在 Azure AD 中创建安全组并维护组(而不是单个用户)的权限。It is a best practice, and recommended, to create a security group in Azure AD and maintain permissions on the group rather than individual users. 有关此建议以及其他最佳做法的详细信息,请参阅 Azure Data Lake Storage Gen2 中的访问控制模型For details on this recommendation, as well as other best practices, see Access control model in Azure Data Lake Storage Gen2.

使用复选框控件可以设置访问权限和默认 ACL。Use the check box controls to set access and default ACLs. 若要详细了解这些 ACL 类型之间的差异,请参阅 ACL 类型To learn more about the difference between these types of ACLs, see Types of ACLs.

以递归方式应用 ACLApply ACLs recursively

可以为父目录的现有子项以递归方式应用 ACL 条目,而不必为每个子项单独进行这些更改。You can apply ACL entries recursively on the existing child items of a parent directory without having to make these changes individually for each child item.

若要以递归方式应用 ACL 条目,请右键单击容器或目录,然后单击“传播访问控制列表”。To apply ACL entries recursively, Right-click the container or a directory, and then click Propagate Access Control Lists. 下面的屏幕截图显示了右键单击目录时出现的菜单。The following screenshot shows the menu as it appears when you right-click a directory.

右键单击目录,并选择“传播访问控制”设置Right-clicking a directory and choosing the propagate access control setting

后续步骤Next steps

了解 Data Lake Storage Gen2 权限模型。Learn about the Data Lake Storage Gen2 permission model.