What's the permission needed for remove_acl_entries()? The action fails with a service principal, even it already has RWX permission, also the storage owner

[DorisTao77]

Description

Try to authenticate with a service principal in the codes. The service principal has already been given the owner IAM role of the ADLS gen1 storage. Also, it has RWX permission on the folder/files.

But it still fails to remove the ACL entries with the remove_acl_entries() function.
Traceback (most recent call last):
File "C:\Users\xinrantao\PycharmProjects\pythonProject\acl_remove_test.py", line 42, in
main()
File "C:\Users\xinrantao\PycharmProjects\pythonProject\acl_remove_test.py", line 38, in main
adl.remove_acl_entries("/testfolder1", "user:518b91c4-a815-409d-8915-ad6249f5095d", recursive=False, number_of_sub_process=None)
File "C:\Users\xinrantao\AppData\Local\Programs\Python\Python39\lib\site-packages\azure\datalake\store\core.py", line 534, in remove_acl_entries
self._acl_call('REMOVEACLENTRIES', path, acl_spec, invalidate_cache=True)
File "C:\Users\xinrantao\AppData\Local\Programs\Python\Python39\lib\site-packages\azure\datalake\store\core.py", line 459, in _acl_call
to_return = self.azure.call(action, posix_path, **parms)
File "C:\Users\xinrantao\AppData\Local\Programs\Python\Python39\lib\site-packages\azure\datalake\store\lib.py", line 450, in call
self.log_response_and_raise(response, PermissionError(path), level=exception_log_level)
File "C:\Users\xinrantao\AppData\Local\Programs\Python\Python39\lib\site-packages\azure\datalake\store\lib.py", line 358, in log_response_and_raise
raise exception
PermissionError: testfolder1

Reproduction Steps

1. create the service principal, give it the owner IAM role of the ADLS gen1 storage:
   

2. It has the RWX permission to the folder, which needs to remove the ACL entries:
   

3. Use the service principal as the authentication, try to remove the ACL entries of this folder from one of the user:

import azure.datalake.store
from azure.datalake.store import lib, core

def authenticate():
    RESOURCE = "https://datalake.azure.net/"
    tenant = "72f988bf-86f1-41af-91ab-2d7cd011db47"
    client_id = "a8e33ec1-afae-4bfa-8a00-1de7b1f74a5f"
    client_secret = "xxxxxxxxxxxxxxxxx"

    adlCreds = lib.auth(tenant_id=tenant,
                        client_secret=client_secret,
                        client_id=client_id,
                        resource=RESOURCE)
    adl = core.AzureDLFileSystem(adlCreds, store_name="xinranadlgen1")
    return adl

def remove(path,acl_spec):
    adl.remove_acl_entries(path, acl_spec, recursive=True, number_of_sub_process=None)

def version_check():
    datalake_store_version = azure.datalake.store.__version__
    print("Azure Data Lake Store Version:", datalake_store_version)

def main():
    version_check()

    adl = authenticate()
    print("check before the removal:\n ******************\n", adl.get_acl_status("/testfolder1"))

    print("\n ******************\n try with recursive=False: ")
    adl.remove_acl_entries("/testfolder1", "user:518b91c4-a815-409d-8915-ad6249f5095d", recursive=False, number_of_sub_process=None)

4. it's interesting to find that if giving the owner of this specific folder to this service principal, then it seems to work.

Could you help check what's the minimum permission needed for this action? Is the owner of the folder/file necessary?
If it's necessary, how to give the owner of all the folder/files in a quick way? Because currently it relies on the service principal as authentication to remove all the ACL entries automatically. Thanks!

Environment summary

SDK Version: What version of the SDK are you using? (pip show azure-datalake-store)
Answer here: 0.0.53

Python Version: What Python version are you using? Is it 64-bit or 32-bit?
Answer here: Python 3.9, 64-bit

OS Version: What OS and version are you using?
Answer here: Windows 11

Shell Type: What shell are you using? (e.g. bash, cmd.exe, Bash on Windows)
Answer here: PyCharm