Azure Storage account for Azure Databricks

B

Question: Do I have to enable support for ACLs?

No. Access control via ACLs is enabled for a storage account as long as the Hierarchical Namespace (HNS) feature is turned ON.

Note 1: We [Microsoft] are pleased to share the general availability of Azure Active Directory (AD) based access control for Azure Storage Blobs and Queues.

Enterprises can now grant specific data access permissions to users and service identities from their Azure AD tenant using Azure's Role-based access control

(RBAC).

Note 2: Azure Data Lake Storage Gen2 implements an access control model that supports both Azure role-based access control (Azure RBAC) and POSIX-like access control lists (ACLs).

You can associate a security principal with an access level for files and directories. These associations are captured in an access control list (ACL). Each file and directory in your storage account has an access control list. When a security principal attempts an operation on a file or directory, An ACL check determines whether that security principal (user, group, service principal, or managed identity) has the correct permission level to perform the operation.

Incorrect Answers:

D: Blob soft delete protects your data from being accidentally or erroneously modified or deleted. When blob soft delete is enabled for a storage account, blobs, blob versions, and snapshots in that storage account may be recovered after they are deleted, within a retention period that you specify.

https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#access-control-lists-on-files-and-directories https://azure.microsoft.com/en-us/blog/azure-storage-support-for-azure-ad-based-access-control-now-generally-available/

The correct answer to this question is B. Hierarchical namespace.

Azure Storage supports several different types of data storage, including blobs, files, queues, and tables. Blobs are used to store large amounts of unstructured data, such as text, images, and videos. Azure Databricks is a fast, easy, and collaborative Apache Spark-based analytics platform that allows you to process large amounts of data. When you use Azure Databricks to access data stored in Azure Storage, you can use Azure AD authentication to control access to the data.

Azure AD is a cloud-based identity and access management service that allows you to manage user identities and access to resources in the cloud. By using Azure AD authentication with Azure Storage, you can grant access to individual blobs to specific users or groups in your organization.

To enable Azure AD authentication for a storage account, you need to create an Azure AD identity for the storage account and grant it access to the storage account. You can then use the Azure Storage SDK or REST API to set permissions for individual blobs.

The Advanced setting that you need to enable for storage1 to set permissions for individual blobs using Azure AD authentication is Hierarchical namespace. Hierarchical namespace is a feature of Azure Data Lake Storage Gen2 that allows you to organize data into a hierarchical file system. By using hierarchical namespace, you can store data in directories and subdirectories, which makes it easier to manage and access large amounts of data.

When you enable hierarchical namespace for a storage account, you can use Azure AD authentication to set permissions for individual blobs. This allows you to control access to specific blobs based on user identities and groups, which provides a more granular level of access control than traditional shared access signatures (SAS) or access keys.

In summary, to ensure that you can set permissions for individual blobs by using Azure AD authentication with Azure Databricks, you should enable the Hierarchical namespace Advanced setting for the storage account.