New Attribute-Based Access Control for Blob
Vložit
- čas přidán 28. 07. 2024
- New levels of granularity controlling roles for blob data based on conditions.
docs.microsoft.com/en-us/azur...
00:00 Introduction
00:30 Control and data plane 101
02:54 Storage data plane RBAC
06:00 Blob index tags
07:05 ABAC basics
09:00 Read blob index tag demo
12:58 Blob data write requiring tag demo
15:11 Path data read demo
16:41 Summary - Věda a technologie
Good stuff! Thanks John, this looks like a very powerful feature! Great coverage.
Thanks John, well explained as usual
Thank you John..!!
This is very interesting thanks for making the video.
Glad it was helpful!
Great write-up. I wonder could it be a solution for authorising access with frequently changing levels: so we have a data storage and all users have read access role. But we add a per-user condition and assign index tag, when we want to allow a user access specific blob.... Would it work? What are the restrictions on number of tags in user assignment? (so can we dynamically add 100/500 tags to a user assignment?) How is it encoded in access token (or is it evaluated in the backend?)? If we need to provide an URL-based access to the data, is it feasible to have a service, requesting the blob content on behalf of the user via rest api and presenting it via an url? or is there any better way? Or may be you can share name of the PM of the feature so I could try to find answers there..
Could you combine this with AAD B2C to control blob access and restrict to B2C users?
Subscriptions can't trust B2C instances for RBAC, only regular AAD. For B2C based apps would likely be more of a valet pattern.
Game changer indeed. Unfortunately, seems for me, the option to use tags as condition is not yet available. I dont see it in the drop down of choices of attributes. Only account name, container name or blob path. :-( Hopefully it'll be available soon.
That does not sound right. Check all the settings match mine and its GPv2 storage account (which is what mine was)
docs.microsoft.com/en-us/azure/storage/blobs/storage-manage-find-blobs?tabs=azure-portal#regional-availability-and-storage-account-support. You may need to register sub for the blob index
Possible it’s because I didn’t use Blob Storage Data Owner as the role. I think I recall you mentioned something about that. I was able to see the blob tags condition when I used storage data owner role. 😎
@@stephane184 yes only owner can set tags