The results of export operations (regular or continuous) contain the list of written blobs.
Today url encoding of these blobs’ paths is inconsistent:
E.g.:
abfss://xtable@storgaexxx.dfs.core.windows.net/Name%3D%27User1i%27/2022/01/09/41925d7b-c720-479e-aeab-1f7492eca345_1_8420ac6ce1d44811a3e73bcda12c11c6.csv
As the result of the upcoming change, all the special characters will be encoded in the export result paths for both ADLS and Blob Storage
E.g.:
abfss://xtable@storgaexxx.dfs.core.windows.net/Name%3D%27User1i%27/2022/01/09/41925d7b-c720-479e-aeab-1f7492eca345_1_8420ac6ce1d44811a3e73bcda12c11c6.csv
Check the usage of the export result paths and validate the change above so that it doesn’t break your workflow.
Support for non-encoded special characters will be blocked - ETA: October 31, 2022
The `current_principal_is_member_of()` function checks if the principal who runs the query is a member in any of the users, apps or groups provided as arguments.
There’s a security risk in such usage, since if a user from another tenant has access to the database, he can create a “mygroup” group in his tenant, and suddenly get access to sensitive data, because he’ll now belong to “mygroup” (even though it’s not in the same tenant).
The secure way to do it would be to explicitly specify the tenant’s name or id, next to the group display name, e.g.:
“mygroup@mycompany.com”, “mygroup;mycompany.com” or “mygroup;12f94abf-a2fa-91aa-41af-3d71dcd0fb37”.
Another option would be to supply the object-id of the group.
To tighten the security, we’re introducing a change that will fail queries with such insecure use.
Change the queries that use current_principal_is_member_of() in an insecure way, by adding the tenant name or id to the group name, or switch to using the group’s object-id.
The command will no longer work without tenant id, tenant name or group object id - ETA: October 31, 2022
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.