Azure Control plane vs Data plane
Ever heard about the Azure Control plane vs Data plane segregation? You heard of plane segregation but couldn't quite make sense of it? Wondered why you can upload files to storage accounts, even without data access?
Let's take a look.
In all simplicity we have actions, and data actions. Actions are resource creation and configuration. Data actions are reading/writing and deleting data. (There is a common(?) misconception that ‘Owner’ can do everything, that is not the case)
Sounds simple enough, right?
Let's have a quick look at some of the underlying roles which make this possible. For this example we will use an Azure storage account.
But first, let's look at some roles (https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
Owner is defined here:
As you can see, we have all actions, and no data actions. Just as we would expect, the owner role grants us access to configure resources, but not edit data.
Blob Storage Data contributor is defined here:
This grants us data actions, perfect!
With the above knowledge, let's test it and see what happens. Having the 'Owner' role, I expect to be able to create a storage account, configure it. But not be able to see, or modify data.
To test, I will create a storage account through the portal and see if I can create a container.
I press create, and….
Perfect. Works as expected, right?
Lets verify that we cannot upload files… Odd, I can see the content of my container:
Lets see if I can upload a file…
That works too… Odd, that is unexpected.
Now, lets verify that I do not have data actions on the storage account, a quick trip to ‘Access control (IAM)’ shows the following:
Neither ‘Owner’ or ‘User Access administrator’ grants data actions, hmmm…
So what happened?
First, let's take a small detour to ‘Shared Access Signature (SAS)’:
Here we can generate tokens which do have data access. We will ignore most of the details, but make a mental note of what a SAS token looks like:
Mental picture:
?sv=2021-06-08&ss=bfqt&srt=c&sp=rwdlacupiytfx&se=2022-11-11T06:17:35Z&st=2022-11-10T22:17:35Z&spr=https&sig=HmKha9E68HoTHUmbEQQ1lkLSqV0h8pjUC4gvMWgtm30%3D
Let's go back and upload a file with some browser debugging, to see what is really happening:
Lots of info here, but the important part is the url for the PUT:
https://bvcbvcbvcbvc.blob.core.windows.net/test/dsadsa.PNG?sv=2021-06-08&ss=bqtf&srt=sco&sp=rwdlacuptfxiy&se=2022-11-11T05:16:23Z&sig=UsNGzOh/P0i/2Z+qFnyomxAs4RF3kI9PiOXwQ8eIaBM=&_=1668118880873
Compare that to the mental note we made earlier. We have a sig value! So even though we do not have data actions, we can generate SAS tokens, which enables us to upload files. Tada!
All this magically happens through the portal. And while it is lovely for usability, it somewhat clouds the data vs control plane separation.
So, can we make the portal give us a better user experience which fits the plane separation? Glad you asked! We can.
Going to the configuration of the storage account we see the following:
Set ‘Default to Azure Active Directory authorization in the Azure portal’ to ‘Enabled’.
Now lets see what happens when we attempt to upload a file:
We are no longer able to see the file content of our container, yay! But also, buuuh! We want to upload files! But at least we are getting the expected behavior from having a separate control- and data plane.
To enable this we go to ‘Access Control (IAM)’ and add ourselves the ‘Blob Storage Data contributor’ role.
When we go to the container, we can now see the content:
Uploading a file with browser debugging enabled shows us what changed:
This time the url for PUT is:
https://bvcbvcbvcbvc.blob.core.windows.net/test/Capture.PNG
No SAS token, looking at the header, we can see that it now uses our standard Authorization Bearer token.
Note, when making configuration changes, or role assignments, it can take a few minutes to take effect. So be patient (or spam refresh like the rest of us).
Comments
Post a Comment