Exam DP-201 topic 1 question 29 discussion

sometimes u guys commenting confuse people

The question is unclear in this instance, as it doesn't specify whether the ADLS is v1 or v2. For v1, Hierarchical namespaces must be off, for v2 they need to be on: "Do I have to enable support for ACLs? No. Access control via ACLs is enabled for a storage account as long as the Hierarchical Namespace (HNS) feature is turned ON." https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control

Solution: From the storage account, you disable a hierarchical namespace, and you use access control lists (ACLs). if disable hierarchical namespace , then the case has to be NO

enable hierarchical namespace, then access control lists

Enable HNS and ACL -- This is 100% correct

One the storage account is created. We can't enable or disable Namespace. The storage account must be re-created. I don't understand why the answer is Yes. It should be no in my opinion.

From the question standpoint, it is pertaining to ADLS Gen 2 in which is it requires to enable the "hierarchical namespace" to utilize the functionality of Data Lake then we could configure the ACL in the folder level. Therefore, the answer is NO.

I believe the answer should be "YES": The requirement is that data is organized into folders (hence, you have to enable hierarchical namespace") and the users should only see their respective folders. The only way to give users fine-grained access to folders in ADLS Gen2 is to use Access Control Lists. If this is not used you will have to use RBAC and this can only give access to ALL of the data in a storage account or ALL of the data in the container, which will not fulfill the requirement. It is also unlikely that Shared Access Signatures (SAS) should be used. The reason is that this is internal and you want to have a concept of who actually access what (and they likely have users set up in AAD). SAS is more often used in the context of applications than users, and therefore this is not the right answer either. Hence, hierarchical namespace and ACL should be used and the answer to this question is "YES".

Refer: https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control Access control via ACLs is enabled for a storage account as long as the Hierarchical Namespace (HNS) feature is turned ON. If HNS is turned OFF, the Azure Azure RBAC authorization rules still apply.

isn't hierarchical namespace a fundamental property of data lake storage that separates it from blob storage type? why are they saying disable HNS then?

The Question n is out dated, it refresh to gen1. In gen2 there is no need to Disable Hierarchical Namespace

In storage V2, you can only create ACL's on a container with hierarchical namespace enabled. You cannot disable hierarchical namespace and have an ACL at the same time. Hence, the goal is not met. Test this yourself in Azure. Create two storage accounts: one with hierarchical namespace disabled (the "blob account"), and one with it enabled (the "data lake account"). Create a container in each. Install Azure Data Explorer on your local machine, then follow the instructions on this page: https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-explorer#managing-access You will see that ACL's are an option on the data lake container, but not on the blob container. Hence, disabling the hierarchical namespace makes it impossible to have an ACL on the containers in that account. The configuration as given in the question is therefore not meeting the goal.

It clearly says the data is arranged into folders by department. If you don't have HNS you don't have the folders.

Answer is No; enable not disable the namespace

New update: https://docs.microsoft.com/en-us/azure/storage/blobs/recursive-access-control-lists?tabs=azure-powershell

Question clearly states Azure Data Lake Storage. Why he is talking about blob?

Enable heirarchial namespace and use ACL's This is the one of the option i got in recent exam.