Does blobfuse2 support delegated access?

[alwynjohnlim]

Hi,

I have a question about blobfuse2 authentication.
I have seen that there are 4 types of authentications we can use in the configuration to connect to azure blob (mode: key | sas | spn | msi) and I am using SPN for my use case and this worked.

However, I am trying to restrict access on some files/folders depending on the azure user credentials instead of the Service Principal when mounting. Does blobfuse2 support any type of delegated access wherein it uses the permission of an azure user and only allow access to specific folders where the user has access to in the blob storage?

I have also seen "oauth-token-path" in the baseConfig.yaml file, which can be set.
Not sure what this is for as using SPN mode and not providing the "oauth-token-path" works fine as it gets the token automatically behind the scenes. Could this be something that can be used for that?

[vibhansa-msft]

If you are talking about "user delegation SAS" then you can generate the SAS and provide auth-mode "sas" while mounting.
If its block blob account then you can also use "default-permissions" (check our baseconfig file in setup folder for this config). Blobfuse will not simulate permissions based on SAS permissions or anything like that, if you have ADLS (HNS) storage account then you can set ACL for the given identity and tune blobfues to honor the permissions allowed to that identity or SPN.

[alwynjohnlim]

@vibhansa-msft thank you for providing your inputs.

To give a better picture, I am using ADLS Gen2 (HNS) and I am using a Service Principal to mount the blobfuse2 to a directory in my linux VM. This VM will be used by different azure users that has their own sets of permission on the ADLS Gen2 maybe a write access only to their own folders.
What I wanted to do is that whenever a user logs in to the VM, I want to use that azure user's permission on the ADLS Gen2 when mounting the blobfuse2, thus allowing that specific azure user to write only on some specific folders that the azure user has access to. Also, if possible, maybe I can make any new files added by the user via blobfuse2 to have his own azure user identity as the owner. Is this something that can be done with blobfuse2 via the configuration?

[vibhansa-msft]

Each user is given permissions through ACLs or RBAC ? Blobfuse mount required SPN/Identity and based on RBAC they will have their access. If its through ACLs then each user need to mount with their own credentials (identity which has respective ACL) and that shall work. If mount is done by one super user and then you wish each user to have their own access, it will not work because blobfuse works based on who has mounted the file-system and not who is using it.

[alwynjohnlim]

I see, so it seems like what I need is to have each azure user to mount using its own credentials. How can I do that? Basing from the baseconfig file there are no option of using an azure user credentials when mounting, the options are (mode: key | sas | spn | msi). Can you show me an example config on how to mount using an azure user credentials rather than a Service Principal?

[vibhansa-msft]

There is no direct way for this. Each user need to have his/her own config file with respecite creds. Another way is to have a common file which does not take any cred related info and share this file. Each user will have their own env variables describing their cred and blobfuse reads it from env and allows them to mount.

[gravesee]

Which combination of config settings are required to make this work? As the user above posts, the only options for mode are key | sas | spn | msi. Which settings allow to mount as a user and have their ACLs honored? Thank you.