I want to restrict azure ADLS SFTP access to directory level.

Question

I want to created sftp for 5 user and want to maintain all the sftp folder in one container.

Answer 1

Hello @Thaya

I want to restrict azure ADLS SFTP access to directory level

According to this MS-Document, the ACLs for local users are supported, but also still in preview. Please do not use this for your production environment.

1. I had created ADLS gen2 storage account with name venkat8912.
2. A container (test) with two directories. (testdirectory1 and testdirectory2) with some files in both of them.

Portal:

The directory-level access restrictions are as follows:

• testuser1 is permitted to list files only within testdirectory1 and cannot perform any other operations in that directory. Additionally, testuser1 has no access to the root directory or testdirectory2.
• testuser2 is allowed to list files exclusively in testdirectory2 and is restricted from performing any other actions within that directory. testuser2 also has no access to the root directory or testdirectory1.

In addition to testuser1 and testuser2, an admin user is required to manage permissions. The admin user will have the authority to assign Access Control Lists (ACLs) for testuser1 and testuser2.

Admin:

While creating testuser1 and testuser2, leave containers and permissions empty, enable “Allow ACL authorization”, and set the landing directory to their respective directories (testdirectory1 or testdirectory2). This ensures access is controlled via ACLs and users are directed to their assigned directories.

testuser1:

testuser2:

After adding local user, you will get the userId like below.

According to this MS-Document the ACLs contains three different permissions: Read[r], Write[w] and Execute[x]

Now connect with admin using PowerShell with sftp client.

Command:

PS > sftp ******@venkat8912.blob.core.windows.net
******@venkat8912.blob.core.windows.net's password:
Connected to venkat8912.blob.core.windows.net.
sftp>

The next step is to change the directory ownership: set testdirectory1’s owner to testuser1 and testdirectory2’s owner to testuser2. This ensures each user only has control over their assigned directory and cannot access the other.

sftp> chmod 1011 /
Changing mode on /
sftp> chown 1012 testdirectory1
Changing owner on /testdirectory1
sftp> chown 1013 testdirectory2
Changing owner on /testdirectory2

When connecting to the Storage Account via SFTP using testuser1 or testuser2, each user will only be able to list files within their respective directories (testdirectory1 or testdirectory2) and will be restricted from performing any other operations.

Output:

PS > sftp ******@venkat8912.blob.core.windows.net
******@venkat8912.blob.core.windows.net's password:
Connected to venkat8912.blob.core.windows.net.
sftp> ls
bloxxxor.docx               bxxxor.docx            coxxg.docx            downloadxxmefile.docx
reaxxxfile.docx
sftp>

You can follow this same procedure to testuser2.

Reference:

How to configure directory level permission for SFTP local user | Microsoft Community Hub

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the “comments” and I would be happy to help you.

Answer 2

Hi @Thaya

To restrict Azure ADLS SFTP access to a directory level for multiple users, you can create local users for each SFTP user and assign them specific permissions for the directories within a single container. You can have up to 1000 local users per storage account. You can add a local user by going to Settings, select SFTP, and then select Add local user. Walking through the prompts you will also be able to setup the user permissions for the storage containers. At this time permissions are only supported at the container level

 

• For example, if you have a container named mycontainer, you might set the home directories as follows:
  • User1: /mycontainer/user1
  • User2: /mycontainer/user2
  • User3: /mycontainer/user3
  • User4: /mycontainer/user4
  • User5: /mycontainer/user5

You will need to set up the home directory for each local user to point to their respective directories within the container. This way, when they connect via SFTP, they will only have access to their designated directory. You can assign permissions such as Read, Write, List, and Delete to control what each user can do within their directory. SFTP support for Azure Blob Storage - Azure Storage | Microsoft Learn

• For User1, set ACLs on /mycontainer/user1 to allow:
  • Read (r)
  • Write (w)
  • List (l)
  • Delete (d)
  • Repeat this for each user, ensuring they only have permissions on their own directory

Additionally, ensure that you grant the necessary Execute permissions to the root folder of the container and the hierarchy leading to the specific directories for each user. This will allow them to access their directories while restricting access to others.

• For example, you may need to set the following permissions:
  • /mycontainer: Execute (x)
  • /mycontainer/user1: Read (r), Write (w), List (l), Delete (d)
  • Repeat for other user directories.

By following the above steps, you can effectively restrict Azure ADLS SFTP access to a directory level for multiple users within a single container. Each user will have their own home directory and specific permissions

https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support-how-to?tabs=azure-portal#configure-permissions

Hope the above answer helps! Please let us know do you have any further queries.

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.