Blaze Engine Security Overview

The Blaze engine runs on the Hadoop cluster as a YARN application. When the Blaze engine starts, it has the privileges and permissions of the user account used to start it. You can designate a user account to start the Blaze engine or use the Data Integration Service user account. Informatica recommends that you create a user account on the Hadoop cluster for Blaze.

A designated user account isolates the Blaze engine from other services on the Hadoop cluster. Grant the user account the minimum required privileges and permissions. When you limit the privileges and permissions of a user account, you limit the attack surface that is available to unauthorized users.

If there is not a specific user account for the Blaze engine, the Blaze engine uses the Data Integration Service user account. The Data Integration Service user account has permissions that the Blaze engine does not need. For example, the Data Integration Service user account has permission to impersonate other users. Blaze does not need this permission.

When you submit a job to the Hadoop cluster, the Blaze engine uses the mapping impersonation user to run the job. If there is not a mapping impersonation user specified, the Blaze engine uses the Data Integration Service user.

To configure the Informatica domain to use Blaze to run mappings on a Kerberos-enabled cluster, see the Informatica Big Data Management 10.1.1 Update 2 Installation and Configuration Guide.