Configuration of the local security module¶
When DSS runs a command on behalf of an end-user, it consults the security module configuration in
This ini file contains two important information:
- Which user groups it may change identity to. This is configured in
[users], in the
- Where DSS is located. DSS will not change any file permissions outside of this directory
Splitted DSS datadirs¶
In some configurations, you might have “splitted” your DSS datadir, by using symbolic links.
To allow the security module to change file permissions in the additional locations, fill in the
additional_allowed_file_dirs in the
File structure of HDFS datasets¶
In regular security mode, datasets location is specified by a path in a connection.
When multi-user security is enabled, DSS uses a different files pattern for managed datasets: if the dataset’s configured location is
/user/dataiku/datasets/MYPROJECT/mydataset, then the actual data is written in
The “data” folder belongs to the last user who wrote the dataset (this might be “hive” or “impala”). The “mydataset” folder always belong to the
ACLs preventing access are on the “mydataset” folder. Within the “mydataset” folder, it is normal for data files to have world-readable permissions. The restrictive “gateway” ACLs on “mydataset” prevent unauthorized users from accessing them.
This behavior is configured in the settings of the HDFS connection, in the “Write ACL synchronization mode” setting.