How to prevent users from accessing filesystem files?
I am installing Dataiku on a baremetal ubuntu 22 OS. However I noticed that users can access the root filesystem quite easily by managed folders or jupyter notebooks for example. Is there a way to completely prevent users from accessing any filesystem related files?
If so what is the most efficient way to do so?
Operating system used: Ubuntu 22
Best Answer
-
Turribeach Dataiku DSS Core Designer, Neuron, Dataiku DSS Adv Designer, Registered, Neuron 2023 Posts: 2,577 NeuronYou can set Containerized execution to be the default (see Admin ⇒ Settings ⇒ Containerized execution ⇒ Default settings) but you can't prevent DSS execution.
Answers
-
Turribeach Dataiku DSS Core Designer, Neuron, Dataiku DSS Adv Designer, Registered, Neuron 2023 Posts: 2,577 Neuron
Have a look at User Isolation Framework:
This is a decent attempt to secure things. It's not perfect but it does improve things quite a bit. You should restrict where users can create managed folders and remove access to the default file system connections. File system connections also have a property that allows users to navigate the full path, you can disable that.
Ultimately you need to realise that any system that allows users to write and run code of their choice will never be perfect.
-
Thanks, that shows me how to enable the UIF, however I couldn't find how to automatically create users and groups for the UIF. And also how to disable the file system connections. If that isn't possible then maybe just the ability to exclusively run kernels in containers?
-
Turribeach Dataiku DSS Core Designer, Neuron, Dataiku DSS Adv Designer, Registered, Neuron 2023 Posts: 2,577 Neuron
However I couldn't find how to automatically create users and groups for the UIF » That's up to you to figure out but will depend on your OS and how you want to integrate to your corporate user directory
And also how to disable the file system connections ⇒ Remove permissions from the relevant connections. Or delete them.
If that isn't possible then maybe just the ability to exclusively run kernels in containers ⇒ I don't think you can prevent people from running kernels locally. But you can probably default to use Kubernetes. Using Kubernetes is an advanced setup option so I suggest you first get UIF working.
-
Thanks, I'll find a way for syncing users from local dataiku to UNIX users. I have Kubernetes working, but there is nothing to prevent users from using the DSS backend for jobs instead of containerized execution.