The regular behavior of DSS is to run as a single UNIX account on its host machine. In the following of this documentation,
dssuser will mean “the UNIX user which is running the DSS service”.
When a DSS end-user executes a code recipe, it runs as the
dssuser user. Similarly, when a DSS end-user executes an Hadoop recipe or notebook, it runs on the cluster as the
dssuser Hadoop user.
This causes two limitations:
- There is a lack of tracability on the Hadoop cluster of which user performed which action.
- If the DSS end-user is hostile and has the permission to execute “unsafe” code, he can run arbitrary code as the
dssuserUNIX user and modify the DSS configuration
DSS supports an alternate mode of deployment, called multi-user security. In this mode, DSS will impersonate the end-user and run all user-controlled code under a different identity than
Multi-user security requires an Entreprise license of DSS.
Multi-user security is designed to work on Hadoop-enabled instances of DSS.
- Comparing security modes
- Prerequisites and limitations
- Initial setup
- Prerequisites and required information
- Perform a regular DSS installation
- Configure your Hadoop cluster
- Initialize multi-user security
- Configure filesystem access on the DSS folders
- Configure identity mapping
- Setup Hive and Impala access
- Initialize ACLs on HDFS connections
- Initial setup
- Default security configuration
- Other security configurations
- Interaction with externally-managed data
- Interaction with Hive and Impala
- Interaction with Spark
- Advanced topics