Which activities in DSS require that a user be added to the allowed_user_groups local Unix group?
Which activities in DSS require that a user be added to the allowed_user_groups local Unix group?
When configuring the setup of the local code isolation capability of the User Isolation Framework* (formerly known as Multi-User Security), you must fill in the allowed_user_groups settings with the list of UNIX groups to which your end users belong. Only users belonging to these groups will be allowed to use the local code impersonation mechanism.
If you have mixed types of users (data analysts, data scientists, etc.) and aren’t sure which types of Dataiku actions require membership in the allowed_user_groups local Unix group, below is a quick summary.
DO NOT need to be in allowed_user_groups:
- Users who only run visual recipes on DSS engine, visual recipes on SQL engine, or SQL recipes. For Prepare recipes, they do not use custom Python functions.
DO need to be in allowed_user_groups:
- Users who run any kind of local code (Python or R - be it in recipes, notebooks, webapps, scenarios, reports, etc.)
- Users who run visual ML
- Users who run any Spark-powered object (code recipe or notebook, or visual recipe using a Spark engine)
*The User Isolation Framework requires an Enterprise Edition license of DSS.
For detailed instructions on setting up local code isolation within the User Isolation Framework, visit our documentation.
What’s next?
We see above that DSS features a set of mechanisms to isolate code which can be controlled by the user, so as to guarantee both traceability and inability for a hostile user to attack the dssuser (the DSS service account). However, the User Isolation Framework is not a single technology, but rather a set of capabilities that permit isolation depending on the context.
Learn more about the larger capabilities of User Isolation Framework , prerequisites, and review reference architectures.
Comments
-
thanks, very useful.