Azure ADLS Gen2 file created by Azure Databricks doesn't inherit ACL
I have a databricks notebook that is writing a dataframe to a file in ADLS Gen2 storage.
It creates a temp folder, outputs the file and then copies that file to a permanent folder. For some reason the file doesn't inherit the ACL correctly. The folder it creates has the correct ACL.
The code for the notebook:
#Get data into dataframe
df_export = spark.sql(SQL)
# OUTPUT file to temp directory coalesce(1) creates a single output data file
(df_export.coalesce(1).write.format("parquet")
.mode("overwrite")
.save(TempFolder))
#get the parquet file name. It's always the last in the folder as the other files are created starting with _
file = dbutils.fs.ls(TempFolder)[-1][0]
#create permanent copy
dbutils.fs.cp(file,FullPath)
The temp folder that is created shows the following for the relevant account.
Where the file shows the following.
There is also a mask. I'm not really familiar with masks so not sure how this differs.
The Mask permission on the folder shows
On the file it shows as
Does anyone have any idea why this wouldn't be inheriting the ACL from the parent folder?
I've had a response from Microsoft support which has resolved this issue for me.
Cause: Databricks stored files have Service principal as the owner of the files with permission -rw-r--r--, consequently forcing the effective permission of rest of batch users in ADLS from rwx (directory permission) to r-- which in turn causes jobs to fail
Resolution: To resolve this, we need to change the default mask (022) to custom mask (000) on Databricks end. You can set the following in Spark Configuration settings under your cluster configuration: spark.hadoop.fs.permissions.umask-mode 000
- PowerShell Get-Acl - Get members instead of group
- Symfony - Efficient access control for (dynamic) hierarchical roles
- Giving View permission to Databricks jobs using CLI or API
- Freeswitch ACL configuration for remote event socket
- How do I take ownership of a registry key via PowerShell?
- Remove specific user from ACL via Powershell
- Laravel 8 returns 403 UNAUTHORIZED ACCESS
- Group-level role authorization in Node.js
- Hashicorp Vault ACL Policy Templating / for Vault host key signing
- How do I fix a "(403) when calling the HeadObject operation: Forbidden"
- Powershell: IdentityNotMappedException when the user does exist when trying to update ownership for network folder
- AWS S3 Generating Signed Urls ''AccessDenied''
- Get-ChildItem -force reports "Access Denied" on My Documents folder and other junction points
- How do I run Get-ACL for HKLM:\Security?
- Is there a canonical way to reorder the DACL of an object after adding an ACE to it?
- Error "ORA-24247: network access denied by access control list (ACL)" while debugging with Oracle SQL Developer
- How to write a PowerShell script which export ACL permissions from all the containers of all GEn2 Storage account in subscription?
- Create per-object ACL in AWS with Terraform
- How do you programmatically fix a non-canonical ACL?
- Azure ADLS Gen2 file created by Azure Databricks doesn't inherit ACL
- Magento, using ACL for frontend. Possible?
- How to write to registry from script when user is able but script not?
- Is there any Powershell script which gives us ACL permissions from all the containers in Storage account Gen 2
- PS - Get All SMB shares with permissions
- What capability does a policy need in order to start jobs in Nomad?
- Oracle 19c :: Failed to set ACL's for specified User
- How to protect "master" in github?
- Amazon S3 ACL for read-only and write-once access
- Issues setting ACL rules for Redis with Bitnami Helm Chart on Kubernetes
- How to give one specific user rights to a folder in Inno Setup