AzureStorageExplorer icon indicating copy to clipboard operation
AzureStorageExplorer copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Succeed to delete file share snapshots if the storage account has 'Storage File Data Privileged Reader' role with 'Disable Usage Of Keys' checked

Open v-kellyluo opened this issue 1 year ago • 4 comments
trafficstars

Storage Explorer Version: 1.34.0-dev (98) Build Number: 20240305.3 Branch: main Platform/OS: Windows 10/Linux Ubuntu 22.04/MacOS Sonoma 14.3(Apple M1 Pro) Architecture: x64/x64/x64 How Found: From running test cases Regression From: Not a regression

Steps to Reproduce

  1. Launch Storage Explorer -> Check the settings 'Enable Files OAuth Support' and 'Disable Usage Of Keys'.
  2. Restart Storage Explorer.
  3. Expand one storage account which has assigned a role 'Storage File Data Privileged Reader' -> File Shares.
  4. Right click one file share -> Click 'Create Snapshot'.
  5. Click 'View Share Snapshots' -> Try to delete the snapshot.
  6. Check whether fails to delete the snapshot.

Expected Experience

Fail to delete the snapshot.

Actual Experience

Succeed to delete the snapshot. image

v-kellyluo avatar Mar 05 '24 07:03 v-kellyluo

@v-kellyluo can y'all double check your access on the storage account you repro this with? When I try to repro I get this error, which I expect:

image

For refrerence, these are the roles I have on the account I tested with:

image

MRayermannMSFT avatar Mar 05 '24 19:03 MRayermannMSFT

Hi @MRayermannMSFT,

After checking 'Enable Files OAuth Support' and 'Disable Usage Of Keys' settings, I only signed in one account, then assigned the 'Storage File Data Privileged Reader' role to the signed in account, it succeeds to delete the snapshots, could you help to take a look?

These are the roles I have on the account I tested with: image

v-kellyluo avatar Mar 06 '24 02:03 v-kellyluo

@v-kellyluo , the owner role is problematic. It gives you permissions to do literally anything.

MRayermannMSFT avatar Mar 06 '24 06:03 MRayermannMSFT

Hi @MRayermannMSFT ,

  1. We only can delete snapshots successfully, we cannot execute 'Upload/Delete/Rename/Move' actions, please see the screenshot:

image

  1. And for blob containers, if we only signed in one account, and assigned 'Storage Blob Data Reader' role to the signed in account, it fails to execute other actions except 'Read', Should it be consistent?

v-kellyluo avatar Mar 06 '24 07:03 v-kellyluo

@v-kellyluo this is by design. The owner role gives you permissions to create & delete both file share and their snapshots.

MRayermannMSFT avatar Jul 09 '24 23:07 MRayermannMSFT