User Isolation Uploading Files

miriamgasenjo
Level 1
User Isolation Uploading Files

Hi there, 

      I am trying to figure out how user isolation works when using a server file system connection. If I am a DSS end-user A with a mapped unix user unixA when trying to upload a dataset ZZZ into the folder configured into file system connection the file will be uploaded with unixA owner or as dss user owner (being dss user the user that run dss on the linux machine) 

Thank you very much. 

Kind regards.

0 Kudos
5 Replies
Andrey
Dataiker Alumni

Hi @miriamgasenjo ,

The file you upload by userA will be created by dss linux user (what we refer to as dssuser in the docs).

 

Regards,

Andrey Avtomonov
R&D Engineer @ Dataiku
0 Kudos
miriamgasenjo
Level 1
Author

Thank you very much Andrey for your quick response, 

so there is no way even with user isolation enable to upload a file whose owner is the DSS end user mapped Unix User? 

My concern here is that dssuser could get access to private or confidential information upload by business users or there is a workound to achive this

 

Kind regards

0 Kudos
Andrey
Dataiker Alumni

No, it's not possible to restrict dssuser from accessing files in the DSS data directory.

dssuser is used for impersonation, meaning he can execute commands as other DSS users, so that means that even if he didn't have direct access to a certain file, he would after impersonation.

 

Andrey Avtomonov
R&D Engineer @ Dataiku
0 Kudos
miriamgasenjo
Level 1
Author

Hi Andrey, 

           As you mentioned dssuser will get access but through dss-enduser/unix user impersonation. 

I will try to clarify a bit better with the following scenario: 

Lets say there is a server folder connection configured to be outside DSS data dir for instance /data/finance. At server level the folder with be owned by unix user: vfinance and group: finance with the rights 4(user)7(group)0(others) 

Considering that user isolation is enabled, I am connected to DSS (dssenduser: mirgar, unixUser:unixmirgar, unixGroup: finance) working on project A and I want to upload a dataset on /data/finance, when doing this task as user isolation is enabled dssuser will impersonate as unixmirgar and upload the file in /data/finance/?

We need to have a clear understanding of how user isolation works. 

If user impersonation is enabled and we run a flow, DSS is try to run all the flow as dssenduser-unixuser or only the code recipes?

Thank you very much. 

Kind regards.

 

 

 

0 Kudos
miriamgasenjo
Level 1
Author

Hi @Andrey

      Any insight about the previously detailed scenario? 

I need to understand how it works behind the scenes. 

Thank you very much. 

Kind regards

 

 

0 Kudos