Setup & Configuration
- Hi! I am testing in Dataiku 11.4 with user profile (or license) setting, via LDAP mapping. In my tests the profile is only assigned when the user logs in for the first time and registers his user. Sub…
Solution by TurribeachThis is by design. Last time I asked Dataiku about this they said you could be breaching your licensing terms if you start switching users between licenses. You will need to check with your Customer Success Manager / Account Manager to see what you are allowed to do in terms of swtching Designer licenses around. One way you can prevent this issue is by setting the Groups Restriction field in your LDAP configuration to all the AD groups which grant any sort of Dataiku license type (Reader, Explorer, Designer). This will prevent random users from being able to login to Dataiku unless they have been granted a license type in advance. This in turn will prevent their accounts created and their profile defaulting to Reader. So hopefully that solves most of your issues. With regards to real cases where the user license type needs to change, I will again suggest you consult with Dataiku to make sure you stay within the Dataiku licensing terms. But as you have seen there is no built-in functionality to handle these cases so you would need to handle them manually or via the Python API. Below is sample Dataiku Pyhton API code on how to modify the user's profile:
import dataiku client = dataiku.api_client() user = client.get_user("theuserslogin") settings = user.get_settings() # Modify the settings in the `get_raw()` dict settings.get_raw()["userProfile"] = "DESIGNER" # Save the modifications settings.save() - Does DSS support the switch of IAM role, as described here? https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.html To access an S3 bucket in other account we would need to …
Solution by JedivHi, DSS now supports switching IAM roles for access to S3 connections. The best practice here is to separate out your s3 access policy into a separate role and then set up assumeRole permissions on your connection. In detail:1. Create a separate role with your s3 access policy. See here for an example of the inline policy. We'll call this role Dataiku-DSS-S3-Access:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetEncryptionConfiguration",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::dataiku-bucket",
"arn:aws:s3:::dataiku-bucket/*"
]
}
]
}2. Assuming that your roles are in the same account you can just update the trust policy of your new role to allow your instance profile role to assume it:{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DSS-S3-AccessTrustPolicy",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/name-of-your-instance-profile-role"
}
}]
}3. If you're going cross account, you'll need to give assumeRole permissions to your instance profile role as well:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole",
"iam:AssumeRole"
],
"Resource": [
"arn:aws:iam::XXXXXXXXX:role/Dataiku-DSS-S3-Access"
]
}
]
}4. In Dataiku, switch your connection to use this new role: