Multi-user security¶
The regular behavior of DSS is to run as a single UNIX account on its host machine. In the following of this documentation, dssuser will mean “the UNIX user which is running the DSS service”.
When a DSS end-user executes a code recipe, it runs as the dssuser user. Similarly, when a DSS end-user executes an Hadoop recipe or notebook, it runs on the cluster as the dssuser Hadoop user.
This causes two limitations:
- There is a lack of tracability on the Hadoop cluster of which user performed which action.
- If the DSS end-user is hostile and has the permission to execute “unsafe” code, he can run arbitrary code as the
dssuserUNIX user and modify the DSS configuration
DSS supports an alternate mode of deployment, called multi-user security. In this mode, DSS will impersonate the end-user and run all user-controlled code under a different identity than dssuser.
Note
Multi-user security requires an Entreprise license of DSS.
Note
Multi-user security is designed to work on Hadoop-enabled instances of DSS.
- Comparing security modes
- Concepts
- Prerequisites and limitations
- Setup
- Operations
- Interaction with Hive and Impala
- Interaction with Spark
- Advanced topics