User Isolation Uploading Files

miriamgasenjo
miriamgasenjo Registered Posts: 4 ✭✭✭✭
in Using Dataiku

Hi there,

I am trying to figure out how user isolation works when using a server file system connection. If I am a DSS end-user A with a mapped unix user unixA when trying to upload a dataset ZZZ into the folder configured into file system connection the file will be uploaded with unixA owner or as dss user owner (being dss user the user that run dss on the linux machine)

Thank you very much.

Kind regards.

· Share on FacebookShare on Twitter

Answers

  • Andrey
    Andrey Dataiker Alumni Posts: 119 ✭✭✭✭✭✭✭

    Hi @miriamgasenjo
    ,

    The file you upload by userA will be created by dss linux user (what we refer to as dssuser in the docs).

    Regards,

    · Share on FacebookShare on Twitter
  • miriamgasenjo
    miriamgasenjo Registered Posts: 4 ✭✭✭✭

    Thank you very much Andrey for your quick response,

    so there is no way even with user isolation enable to upload a file whose owner is the DSS end user mapped Unix User?

    My concern here is that dssuser could get access to private or confidential information upload by business users or there is a workound to achive this

    Kind regards

    · Share on FacebookShare on Twitter
  • Andrey
    Andrey Dataiker Alumni Posts: 119 ✭✭✭✭✭✭✭

    No, it's not possible to restrict dssuser from accessing files in the DSS data directory.

    dssuser is used for impersonation, meaning he can execute commands as other DSS users, so that means that even if he didn't have direct access to a certain file, he would after impersonation.

    · Share on FacebookShare on Twitter
  • miriamgasenjo
    miriamgasenjo Registered Posts: 4 ✭✭✭✭

    Hi Andrey,

    As you mentioned dssuser will get access but through dss-enduser/unix user impersonation.

    I will try to clarify a bit better with the following scenario:

    Lets say there is a server folder connection configured to be outside DSS data dir for instance /data/finance. At server level the folder with be owned by unix user: vfinance and group: finance with the rights 4(user)7(group)0(others)

    Considering that user isolation is enabled, I am connected to DSS (dssenduser: mirgar, unixUser:unixmirgar, unixGroup: finance) working on project A and I want to upload a dataset on /data/finance, when doing this task as user isolation is enabled dssuser will impersonate as unixmirgar and upload the file in /data/finance/?

    We need to have a clear understanding of how user isolation works.

    If user impersonation is enabled and we run a flow, DSS is try to run all the flow as dssenduser-unixuser or only the code recipes?

    Thank you very much.

    Kind regards.

    · Share on FacebookShare on Twitter
  • miriamgasenjo
    miriamgasenjo Registered Posts: 4 ✭✭✭✭

    Hi @Andrey
    ,

    Any insight about the previously detailed scenario?

    I need to understand how it works behind the scenes.

    Thank you very much.

    Kind regards

    · Share on FacebookShare on Twitter
Bookmark this topic

Categories

Setup Info
    Tags
      Help me…