Advanced security options

Hiding error stacks

By default, the DSS backend sends backend error stacks to logged-in users. This makes debugging and understanding easier.

This behavior can be disabled in the following way:

  • Stop DSS
DATADIR/bin/dss stop
  • Edit the DATADIR/config/general-settings.json file
  • Locate the "security" top-level key in the JSON file. If it does not exist, create it as an empty JSON object
  • Within “security”, add or edit the following key : "hideErrorStacks" : true
  • Start DSS
DATADIR/bin/dss start

Hiding version info

By default, the DSS backend sends DSS version information, even to non-logged in users.

This behavior can be disabled in the following way:

  • Stop DSS
DATADIR/bin/dss stop
  • Edit the DATADIR/config/general-settings.json file
  • Locate the "security" top-level key in the JSON file. If it does not exist, create it as an empty JSON object
  • Within “security”, add or edit the following key : "hideVersionStringsWhenNotLogged" : true
  • Start DSS
DATADIR/bin/dss start

Using secure cookies

By default, DSS login cookies do not carry the Secure flag (which would make them unusable over non-secured HTTP connections).

If you configure DSS to using HTTPS for all users, either natively or through a reverse proxy, you can enable the use of secure cookies. This further secures user connections by ensuring the browser never sends the session cookie over unsecured connections.

  • Stop DSS
DATADIR/bin/dss stop
  • Edit the DATADIR/config/general-settings.json file
  • Locate the "security" top-level key in the JSON file. If it does not exist, create it as an empty JSON object
  • Within “security”, add or edit the following key : "secureCookies" : true
  • Start DSS
DATADIR/bin/dss start

Expiring sessions

By default, DSS sessions do not expire. You can configure DSS to have sessions expire, either after a certain amount of time since login, or after a certain amount of inactivity.

Warning

Enabling sessions expiration is currently incompatible with the Jupyter notebooks feature. Enabling this feature will cause Jupyter notebooks to stop functioning properly.

Warning

Enabling sessions expiration also means that all user sessions are always terminated each time the DSS backend restarts

  • Stop DSS
DATADIR/bin/dss stop
  • Edit the DATADIR/config/dip.properties file and add the following key: dku.sessions.storage=memory
  • Edit the DATADIR/config/general-settings.json file
  • Locate the "security" top-level key in the JSON file. If it does not exist, create it as an empty JSON object
  • Within “security”, add or edit the following keys: "sessionsMaxTotalTimeMinutes" and "sessionsMaxIdleTimeMinutes". Set them to the desired expiration timeout, respectively since login and on inactivity. 0 means no expiration for this kind.
  • Start DSS
DATADIR/bin/dss start

Forcing a single session per user

By default, DSS users can log in from multiple sessions at once. You can additionally configure DSS to only allow a single session. When a user logs in, all its other sessions are terminated.

  • Stop DSS
DATADIR/bin/dss stop
  • Edit the DATADIR/config/general-settings.json file
  • Locate the "security" top-level key in the JSON file. If it does not exist, create it as an empty JSON object
  • Within “security”, add or edit the following key : "forceSingleSessionPerUser" : true
  • Start DSS
DATADIR/bin/dss start

Restricting visibility of groups and users

By default, all logged-in DSS users can view the list of groups and users. This is useful for:

  • Allowing project owners to add groups to their projects
  • Allowing users to mention all users

You can select to restrict visibility of groups and users. The following rules apply:

  • If you are admin, you can see everything
  • You can see all groups to which you belong
  • You can see all users of groups to which you belong
  • In addition, you can see all users that are participants in projects in which you are participant
  • Stop DSS
DATADIR/bin/dss stop
  • Edit the DATADIR/config/general-settings.json file
  • Locate the "security" top-level key in the JSON file. If it does not exist, create it as an empty JSON object
  • Within “security”, add or edit the following key : "restrictUsersAndGroupsVisibility" : true
  • Start DSS
DATADIR/bin/dss start

Note

This is a best-effort feature. Obvious listing of users are suppressed, but we do not guarantee perfect isolation.

Example general-settings.json file

With the previous options enabled, your general-settings.json could look like:

{
  "udr": true,
  "proxySettings": {
    "port": 0
  },
  "mailSettings": {},
  "maxRunningActivitiesPerJob": 5,
  "maxRunningActivities": 5,
  "ldapSettings": {
    "enabled": false,
    "useTls": false,
    "userFilter": "(\u0026(objectClass\u003dposixAccount)(uid\u003d{USERNAME}))",
    "displayNameAttribute": "cn",
    "emailAttribute": "mail",
    "enableGroups": true,
    "groupFilter": "(\u0026(objectClass\u003dposixGroup)(memberUid\u003d{USERNAME}))",
    "groupNameAttribute": "cn",
    "autoImportUsers": true
  },
  "computablesAvailabilityMode": "EXPOSED_ONLY",
  "globalCrossProjectBuildBehaviour": "STOP_AT_BOUNDARIES",
  "noLoginMode": false,
  "sessionsMaxTotalTimeHours": 0,
  "sessionsMaxIdleTimeHours": 0,
  "security" : {
    "hideVersionStringsWhenNotLogged" : true,
    "hideErrorStacks" : true,
    "secureCookies" : true,
    "sessionsMaxTotalTimeMinutes": 0,
"sessionsMaxIdleTimeMinutes": 20,
"forceSingleSessionPerUser": false,
"restrictUsersAndGroupsVisibility": true,
  }
}

Disabling exports

It is possible to globally disable some or all export features in DSS (regardless of project permissions).

To use these options, a DSS administrator with access to the DSS server needs to edit the “config/dip.properties” file in the DSS data dir and add one of the following lines:

  • dku.exports.disableAllDatasetExports=true: This disables exports of datasets globally on the instance. Other exports (ML data, schema, SQL queries, prepared data) remain possible
  • dku.exports.disableAllDataExports=true: This disables exports of “data” globally on the instance (exports of datasets, prepared data or SQL query results). Exports of ML data and schemas remain possible
  • dku.exports.disableAllExports=true: This disables all possibilities of downloading anything from DSS