[Storage] Bug: Updating Default Access Control Lists does not work

[YoshicoppensE61]

• Package Name: azure-storage-file-datalake
• Package Version: 12.5.0
• Operating System: Windows
• Python Version: 3.7.7

Describe the bug
Using the function update_access_control_recursive or set_access_control works well to update regular ACL for files and folders. However, normally to update Default Access Control Lists, it should suffice to add "default:" as a prefix, but here errors pop up. I can add a default Access Control List for the standard options (owning group [default:group::r-x], owner[default:user::r-x], other[default:other::---]), but when I try to add an actual aad_id from a different AD group (using default:user:xxx..xxxx:r-x) I get an error.

(InvalidNamedUserOrNamedGroup) The named user or named group in the access control list is not valid.
RequestId:d216f552-d01f-003e-2e3f-f0a57a000000
Time:2021-12-13T16:39:14.8081970Z

For the same AD group, I do succeed in updating the Access ACL, so not sure why this is going wrong, maybe there is some kind of filter on it?

To Reproduce
Steps to reproduce the behavior:

1. Create an Azure Data Lake Gen 2
2. Create a container in the storage account
3. Create a folder in the container
4. credential = ClientSecretCredential(tenant_id, client_id, client_secret)
   service_client = DataLakeServiceClient(account_url="{}://{}.dfs.core.windows.net".format(
   "https", storage_account_name), credential=credential)
   file_system_client = service_client.get_file_system_client(file_system=)
   directory_client = file_system_client.get_directory_client()
   acl = 'default:user:{<aad_id>}:r-x'
   directory_client.update_access_control_recursive(acl=acl)

Expected behavior
If I just add a default ACL rule via the Azure Portal for the same AD Group, it just immediately works when I try to save it. So I would expect no error here and the group to be added to the ACL rules.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

[yunhaoling]

thanks @YoshicoppensE61 for reaching out, we'll investigate ASAP.

[jalauzon-msft]

Hi @YoshicoppensE61, apologies for this never getting looked at. It seems it fell off the radar. Are you still experiencing the issue? I was not able to repro this in local testing so it seems the SDK should support this scenario just fine.

My one suspicion is your use of ClientSecretCredential here which means you are using AAD Auth to attempt to update the ACLs. Have you configured your RBAC roles for that identity correctly to update ACLs? To update ACLs you must have the "Storage Blob Data Owner" (or equivalent) role assigned to your identity. See more details here. If this is not configured correctly it could explain why the request is saying it can't find the user you specified. This could also explain why it works for you in the Azure Portal because there you are authenticated as yourself.

If you are flexible in your credential type, you could also try using Shared Key auth to make the update or DefaultAzureCredential.

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

[YoshicoppensE61]

@jalauzon-msft Hi, I think I worked around it or maybe I managed to fix it somehow, but in any case, the setup I was going for, works now, so you can close this ticket!