Plots Permissions

-->

Azure Data Lake Storage Gen1 implements an access control model that derives from HDFS, which in turn derives from the POSIX access control model. This article summarizes the basics of the access control model for Data Lake Storage Gen1.

Access control lists on files and folders

There are two kinds of access control lists (ACLs), Access ACLs and Default ACLs.

  • Access ACLs: These control access to an object. Files and folders both have Access ACLs.

  • Default ACLs: A 'template' of ACLs associated with a folder that determine the Access ACLs for any child items that are created under that folder. Files do not have Default ACLs.

  1. A building plot with planning permission enjoying fabulous sea view.design policy. Although this is only an outline planning application, with all matters reserved, a split-level house design would be favourable due to the topography of the land.
  2. Permissions: plots.music - Access to the command /plot music. Source Code: here ¶ SETBIOME. List all possible biomes or set the plot biome. Usage: /plot biome biome Aliases: biome, sb, setb, b Permissions: plots.set.biome - Access to the command /plot set biome. Source Code: here ¶ Info ¶ CONFIRM. Confirm an action.
Plots permissions

Both Access ACLs and Default ACLs have the same structure.

Note

Changing the Default ACL on a parent does not affect the Access ACL or Default ACL of child items that already exist.

Permissions

The permissions on a filesystem object are Read, Write, and Execute, and they can be used on files and folders as shown in the following table:

Despite layouts fall under GHMC, HMDA will issue permissions for structures. As the land belongs to HMDA, permissions will be issued within a week. Hyderabad: Apart from buying a plot, obtaining building permissions for constructing the dream home or structure, can be a challenge for many. A permission designed for admins, to intercept all local messages (ignoring the chat-radius). EssentialsChat: essentials.chat.url: This allows you to use urls in your chat messages. EssentialsGeoIP: essentials.geoip.hide: Allows you to hide your country and city from people who have permission essentials.geoip.show.

FileFolder
Read (R)Can read the contents of a fileRequires Read and Execute to list the contents of the folder
Write (W)Can write or append to a fileRequires Write and Execute to create child items in a folder
Execute (X)Does not mean anything in the context of Data Lake Storage Gen1Required to traverse the child items of a folder

Short forms for permissions

RWX is used to indicate Read + Write + Execute. A more condensed numeric form exists in which Read=4, Write=2, and Execute=1, the sum of which represents the permissions. Following are some examples.

Numeric formShort formWhat it means
7RWXRead + Write + Execute
5R-XRead + Execute
4R--Read
0---No permissions

Permissions do not inherit

In the POSIX-style model that's used by Data Lake Storage Gen1, permissions for an item are stored on the item itself. In other words, permissions for an item cannot be inherited from the parent items.

Common scenarios related to permissions

Following are some common scenarios to help you understand which permissions are needed to perform certain operations on a Data Lake Storage Gen1 account.

OperationObject/Seattle/Portland/Data.txt
ReadData.txt--X--X--XR--
Append toData.txt--X--X--X-W-
DeleteData.txt--X--X-WX---
CreateData.txt--X--X-WX---
List/R-X---------
List/Seattle/--XR-X------
List/Seattle/Portland/--X--XR-X---

Note

Write permissions on the file are not required to delete it as long as the previous two conditions are true.

Users and identities

Every file and folder has distinct permissions for these identities:

  • The owning user
  • The owning group
  • Named users
  • Named groups
  • All other users

The identities of users and groups are Azure Active Directory (Azure AD) identities. So unless otherwise noted, a 'user,' in the context of Data Lake Storage Gen1, can either mean an Azure AD user or an Azure AD security group.

The super-user

A super-user has the most rights of all the users in the Data Lake Storage Gen1 account. A super-user:

  • Has RWX Permissions to all files and folders.
  • Can change the permissions on any file or folder.
  • Can change the owning user or owning group of any file or folder.

All users that are part of the Owners role for a Data Lake Storage Gen1 account are automatically a super-user.

The owning user

The user who created the item is automatically the owning user of the item. An owning user can:

  • Change the permissions of a file that is owned.
  • Change the owning group of a file that is owned, as long as the owning user is also a member of the target group.

Note

Plots Permissions

The owning user cannot change the owning user of a file or folder. Only super-users can change the owning user of a file or folder.

The owning group

Plots Squared Permissions

Background

In the POSIX ACLs, every user is associated with a 'primary group.' For example, user 'alice' might belong to the 'finance' group. Alice might also belong to multiple groups, but one group is always designated as her primary group. In POSIX, when Alice creates a file, the owning group of that file is set to her primary group, which in this case is 'finance.' The owning group otherwise behaves similarly to assigned permissions for other users/groups.

Because there is no “primary group” associated to users in Data Lake Storage Gen1, the owning group is assigned as below.

Assigning the owning group for a new file or folder

  • Case 1: The root folder '/'. This folder is created when a Data Lake Storage Gen1 account is created. In this case, the owning group is set to an all-zero GUID. This value does not permit any access. It is a placeholder until such time a group is assigned.
  • Case 2 (Every other case): When a new item is created, the owning group is copied from the parent folder.

Changing the owning group

The owning group can be changed by:

Plots permissions
  • Any super-users.
  • The owning user, if the owning user is also a member of the target group.

Note

The owning group cannot change the ACLs of a file or folder.

For accounts created on or before September 2018, the owning group was set to the user who created the account in the case of the root folder for Case 1, above. A single user account is not valid for providing permissions via the owning group, thus no permissions are granted by this default setting. You can assign this permission to a valid user group.

Access check algorithm

The following pseudocode represents the access check algorithm for Data Lake Storage Gen1 accounts.

The mask

As illustrated in the Access Check Algorithm, the mask limits access for named users, the owning group, and named groups.

Note

For a new Data Lake Storage Gen1 account, the mask for the Access ACL of the root folder ('/') defaults to RWX.

The sticky bit

The sticky bit is a more advanced feature of a POSIX filesystem. In the context of Data Lake Storage Gen1, it is unlikely that the sticky bit will be needed. In summary, if the sticky bit is enabled on a folder, a child item can only be deleted or renamed by the child item's owning user.

The sticky bit is not shown in the Azure portal.

Default permissions on new files and folders

When a new file or folder is created under an existing folder, the Default ACL on the parent folder determines:

  • A child folder’s Default ACL and Access ACL.
  • A child file's Access ACL (files do not have a Default ACL).

umask

Plots

When creating a file or folder, umask is used to modify how the default ACLs are set on the child item. umask is a 9-bit value on parent folders that contains an RWX value for owning user, owning group, and other.

The umask for Azure Data Lake Storage Gen1 is a constant value set to 007. This value translates to

umask componentNumeric formShort formMeaning
umask.owning_user0---For owning user, copy the parent's Default ACL to the child's Access ACL
umask.owning_group0---For owning group, copy the parent's Default ACL to the child's Access ACL
umask.other7RWXFor other, remove all permissions on the child's Access ACL

The umask value used by Azure Data Lake Storage Gen1 effectively means that the value for other is never transmitted by default on new children - regardless of what the Default ACL indicates.

Plots Permissions

The following pseudocode shows how the umask is applied when creating the ACLs for a child item.

Common questions about ACLs in Data Lake Storage Gen1

Do I have to enable support for ACLs?

No. Access control via ACLs is always on for a Data Lake Storage Gen1 account.

Which permissions are required to recursively delete a folder and its contents?

  • The parent folder must have Write + Execute permissions.
  • The folder to be deleted, and every folder within it, requires Read + Write + Execute permissions.

Note

You do not need Write permissions to delete files in folders. Also, the root folder '/' can never be deleted.

Who is the owner of a file or folder?

The creator of a file or folder becomes the owner.

Which group is set as the owning group of a file or folder at creation?

The owning group is copied from the owning group of the parent folder under which the new file or folder is created.

I am the owning user of a file but I don’t have the RWX permissions I need. What do I do?

The owning user can change the permissions of the file to give themselves any RWX permissions they need.

When I look at ACLs in the Azure portal I see user names but through APIs, I see GUIDs, why is that?

Entries in the ACLs are stored as GUIDs that correspond to users in Azure AD. The APIs return the GUIDs as is. The Azure portal tries to make ACLs easier to use by translating the GUIDs into friendly names when possible.

Why do I sometimes see GUIDs in the ACLs when I'm using the Azure portal?

A GUID is shown when the user doesn't exist in Azure AD anymore. Usually this happens when the user has left the company or if their account has been deleted in Azure AD. Also, ensure that you're using the right ID for setting ACLs (details in question below).

When using service principal, what ID should I use to set ACLs?

On the Azure Portal, go to Azure Active Directory -> Enterprise applications and select your application. The Overview tab should display an Object ID and this is what should be used when adding ACLs for data access (and not Application Id).

Plotsquared Permissions Not Working

Does Data Lake Storage Gen1 support inheritance of ACLs?

No, but Default ACLs can be used to set ACLs for child files and folder newly created under the parent folder.

Where can I learn more about POSIX access control model?

Plotsquared Permissions List

See also

Plots Permissions

Plot commands are used for when you are building on your plot. I will guide you through the plot commands you need to know once you have generated your plot.
So, every player spawns in a place called hub, which you can access hub with '/hub'.
When you have spawned, you should have a compass, right click your compass and choose a server. You have an option of Creative 1, Creative 2, Creative 3, and upcoming, Creative 4. You can access the servers easier with '/cf(1,2,3)' just choose a number. For an example, I am in server 1, I can do '/cf2' and it teleports me to server 2.
Once you have chosen which server you want to go on, you can do '/plot auto' which generates and teleports to your designated area you can build on. If you vote enough, with 480 cf coins, (which can be gained by voting) you can buy another plot, which can be accessed with '/p h:2'. When your plot generates, and say you accidentally leave, go back to the server your plot was on, and do '/p h'. If you purchase the new plot, it gives you an ability to set another home, which I will discuss in the next paragraph.
You can set homes with '/sethome <name>'. Also, you can access homes with '/home <name>'. The homes have a feature called cross-server, which means, if you do '/home cf1headshop' while you are on cf2, you will be teleported to cf1. You are only allowed one home, which you can increase the amount by purchasing a new plot, with cf coins, which you can purchase the item in '/shop'.
Now, if you want a player to help you build, but don't want them building while you are offline, you can do '/p add <name>', which does not give them access to use world edit on a plot // (Find World Edit information here) If you fully trust someone to use world edit, and build while you are not present, you can do '/p trust <name>',.To deny a player, meaning you want them kicked off the plot, and not allowing access to walk onto your plot, do '/p deny <name>' which automatically kicks them, and teleports them to an area telling them they were denied from the plot they was previously on.
To check plot information, you do '/p i' which tells you all the details you need to know about the plot, such as
Owner of the Plot
ID
Trusted
Added
Denied
Can Build
Biome
Flags
Plot Size.
To claim a plot, you want to find a plot that is not currently claimed, (it tells you when you do /p i if they have an owner or not), you stand on the plot, and do '/p claim'.
To clear your plot, (not unclaiming) you do '/p clear' then '/p confirm' which clears your current builds on the plot. It refreshes it, but don't worry, it warns you, then you confirm it.
Hopefully this guide helped you with your plot, and remember to have fun!