Without multi-user security, the regular behavior of DSS is to run as a single account on its host machine or connected Hadoop cluster. In the following documentation,
dssuser will mean “the user account which is running the DSS service, or authorized to run Hadoop jobs”.
When a DSS end-user executes a code recipe, it runs as the UNIX
dssuser. Similarly, when a DSS end-user executes an Hadoop recipe or notebook, it runs on the cluster as the Hadoop
This causes two limitations:
- There is a lack of traceability on the Hadoop cluster to identify which user performed which action.
- If the DSS end-user is hostile and has the permission to execute “unsafe” code, he can run arbitrary code as UNIX
dssuserand modify the DSS configuration
DSS supports an alternate mode of deployment, called multi-user security. In this mode, DSS will impersonate the end-user and run all user-controlled code under a different identity than
Multi-user security requires an Enterprise license of DSS.
Multi-user security is designed to work on Hadoop-enabled instances of DSS.
- Comparing security modes
- Prerequisites and limitations
- Initial setup
- Prerequisites and required information
- Perform a regular DSS installation
- Configure your Hadoop cluster
- Initialize multi-user security
- Configure filesystem access on the DSS folders
- Configure identity mapping
- Setup Hive and Impala access
- Initialize ACLs on HDFS connections
- Initial setup
- Default security configuration
- Other security configurations
- Interaction with externally-managed data
- Interaction with Hive and Impala
- Interaction with Spark
- Advanced topics