Advanced security options¶
Hiding error stacks¶
By default, the DSS backend sends backend error stacks to logged-in users. This makes debugging and understanding easier.
This behavior can be disabled in the following way:
Stop DSS
DATADIR/bin/dss stop
Edit the
DATADIR/config/general-settings.json
fileLocate the
"security"
top-level key in the JSON file. If it does not exist, create it as an empty JSON objectWithin “security”, add or edit the following key :
"hideErrorStacks" : true
Start DSS
DATADIR/bin/dss start
Hiding version info¶
By default, the DSS backend sends DSS version information, even to non-logged in users.
This behavior can be disabled in the following way:
Stop DSS
DATADIR/bin/dss stop
Edit the
DATADIR/config/general-settings.json
fileLocate the
"security"
top-level key in the JSON file. If it does not exist, create it as an empty JSON objectWithin “security”, add or edit the following key :
"hideVersionStringsWhenNotLogged" : true
Start DSS
DATADIR/bin/dss start
Expiring sessions¶
By default, DSS sessions do not expire. You can configure DSS to have sessions expire, either after a certain amount of time since login, or after a certain amount of inactivity.
Warning
Enabling sessions expiration also means that all user sessions are always terminated each time the DSS backend restarts
Sessions expiration can cause lost work: if you have work open and your session expires, you may not be able to save your work
If you have a Jupyter notebook open and your session expires, the underlying Jupyter kernel remains alive and you can still communicate with it and execute code, until the next page refresh. However, saving updates to the notebook becomes impossible
Stop DSS
DATADIR/bin/dss stop
Edit the
DATADIR/config/dip.properties
file and add the following key:dku.sessions.storage=memory
Edit the
DATADIR/config/general-settings.json
fileLocate the
"security"
top-level key in the JSON file. If it does not exist, create it as an empty JSON objectWithin “security”, add or edit the following keys:
"sessionsMaxTotalTimeMinutes"
and"sessionsMaxIdleTimeMinutes"
. Set them to the desired expiration timeout, respectively since login and on inactivity. 0 means no expiration for this kind.Start DSS
DATADIR/bin/dss start
Forcing a single session per user¶
By default, DSS users can log in from multiple sessions at once. You can additionally configure DSS to only allow a single session. When a user logs in, all its other sessions are terminated.
Stop DSS
DATADIR/bin/dss stop
Edit the
DATADIR/config/general-settings.json
fileLocate the
"security"
top-level key in the JSON file. If it does not exist, create it as an empty JSON objectWithin “security”, add or edit the following key :
"forceSingleSessionPerUser" : true
Start DSS
DATADIR/bin/dss start
Restricting visibility of groups and users¶
By default, all logged-in DSS users can view the list of groups and users. This is useful for:
Allowing project owners to add groups to their projects
Allowing users to mention all users
You can select to restrict visibility of groups and users. The following rules apply:
If you are admin, you can see everything
You can see all groups to which you belong
You can see all users of groups to which you belong
In addition, you can see all users that are participants in projects in which you are participant
Instructions:
Stop DSS
DATADIR/bin/dss stop
Edit the
DATADIR/config/general-settings.json
fileLocate the
"security"
top-level key in the JSON file. If it does not exist, create it as an empty JSON objectWithin “security”, add or edit the following key :
"restrictUsersAndGroupsVisibility" : true
Start DSS
DATADIR/bin/dss start
Note
This is a best-effort feature. Obvious listing of users are suppressed, but we do not guarantee perfect isolation.
Redirecting to a custom URL after logout¶
By default, when users log out from DSS, they are redirected to a standard Web page hosted by DSS.
To configure DSS to redirect users to a different URL when they log out:
Stop DSS
DATADIR/bin/dss stop
Edit the
DATADIR/config/general-settings.json
fileLocate the
"security"
top-level key in the JSON file. If it does not exist, create it as an empty JSON objectWithin “security”, add the following keys:
"postLogoutBehavior": "CUSTOM_URL",
"postLogoutCustomURL": "https:///my-custom-url"
Start DSS
DATADIR/bin/dss start
Example general-settings.json file¶
With the previous options enabled, your general-settings.json could look like:
{
"udr": true,
"proxySettings": {
"port": 0
},
"mailSettings": {},
"maxRunningActivitiesPerJob": 5,
"maxRunningActivities": 5,
"ldapSettings": {
"enabled": false,
"useTls": false,
"userFilter": "(\u0026(objectClass\u003dposixAccount)(uid\u003d{USERNAME}))",
"displayNameAttribute": "cn",
"emailAttribute": "mail",
"enableGroups": true,
"groupFilter": "(\u0026(objectClass\u003dposixGroup)(memberUid\u003d{USERNAME}))",
"groupNameAttribute": "cn",
"autoImportUsers": true
},
"computablesAvailabilityMode": "EXPOSED_ONLY",
"globalCrossProjectBuildBehaviour": "STOP_AT_BOUNDARIES",
"noLoginMode": false,
"sessionsMaxTotalTimeHours": 0,
"sessionsMaxIdleTimeHours": 0,
"security" : {
"hideVersionStringsWhenNotLogged" : true,
"hideErrorStacks" : true,
"secureCookies" : true,
"sessionsMaxTotalTimeMinutes": 0,
"sessionsMaxIdleTimeMinutes": 20,
"forceSingleSessionPerUser": false,
"restrictUsersAndGroupsVisibility": true,
"postLogoutBehavior": "CUSTOM_URL",
"postLogoutCustomURL": "https://www.dataiku.com"
}
}
Restricting exports¶
It is possible to globally restrict some export features in DSS (regardless of project permissions).
Warning
Any restriction to exports conceptually remains a “best-effort”. Any user who is granted the right to see data in DSS can, with more or less effort, manage to export it, if only by copy/pasting it.
To use these options, a DSS administrator with access to the DSS server needs to edit the “config/dip.properties” file in the DSS data dir and add one of the following lines:
dku.exports.disableAllDatasetExports=true
Disables exports of datasets globally on the instance (the exports that are restricted are the ones that are about “Download” of datasets in order to generate data files (CSV, Excel, Tableau Hyper, …).
Other exports (ML data, schema, SQL queries, prepared data) remain possible
Disables ability to include datasets in project exports and bundle downloads
Disables ability to attach datasets to emails in scenarios
dku.exports.disableAllDataExports=true
(implies the previous one)Disables exports of datasets globally on the instance (the exports that are restricted are the ones that are about “Download” of datasets in order to generate data files (CSV, Excel, Tableau Hyper, …).
Disables exports of prepared data or SQL query results
Exports of ML data and schemas remain possible
Disables ability to download files of zips from managed folders
Disables ability to include datasets or managed folders in project exports and bundle downloads
Disables ability to attach datasets or other data items to emails in scenarios
dku.exports.disableAllExports=true
(implies the previous one)Disables exports of datasets globally on the instance (the exports that are restricted are the ones that are about “Download” of datasets in order to generate data files (CSV, Excel, Tableau Hyper, …).
Disables exports of prepared data or SQL query results
Disables exports of ML data and schemas
Disables ability to download files of zips from managed folders
Disables ability to include datasets or managed folders in project exports and bundle downloads
Disables ability to attach datasets or other data items to emails in scenarios
Allowing DSS to be hosted inside an iframe¶
By default, DSS cannot be hosted inside an iframe as Web browsers treats its authentication cookies as SameSite=Lax.
To configure DSS to emit authentication cookies using SameSite=None:
Stop DSS
DATADIR/bin/dss stop
Edit the
DATADIR/config/general-settings.json
fileLocate the
"security"
top-level key in the JSON file. If it does not exist, create it as an empty JSON objectWithin “security”, add or edit the following keys:
"sameSiteNoneCookies" : true
and"secureCookies" : true
Start DSS
DATADIR/bin/dss start
Note
DSS must be accessed via the HTTPS protocol and cookies must be set as Secure for this option to work as Web browsers do not take into account the SameSite cookie parameter for non-secure cookies.
Prevent links to be clickable in data tables¶
By default, links are displayed in dataset Explore and dataset insights.
To prevent this, edit the DATADIR/config/dip.properties
file and add the following key: dku.feature.dataTableLinks.enabled=false
Allowing DSS users to edit their display names and emails¶
Starting from version 13.2.0, users can no longer edit their display names and email addresses. Only DSS administrators have the ability to make these changes. This restriction helps prevent impersonation by DSS users.
To allow users to update their display names and email addresses:
Stop DSS
DATADIR/bin/dss stop
Edit the
DATADIR/config/general-settings.json
fileLocate the
"security"
top-level key in the JSON file. If it does not exist, create it as an empty JSON objectWithin “security”, add or edit the following keys:
"enableEmailAndDisplayNameModification" : true
.Start DSS
DATADIR/bin/dss start
Note
Please note that enabling email and display name modifications will disable the ability for users to share assets, such as projects, via email invitations.