Operating System Profiles for the Data Integration Service
An operating system profile is a type of security that the Data Integration Service uses to run mappings, workflows, and profiling jobs. Use operating system profiles to increase security and to isolate the run-time environment for users. If the Data Integration Service runs on UNIX or Linux, create operating system profiles and configure the Data Integration Service to use operating system profiles.
The operating system profile contains the operating system user name, service process variables, Hadoop impersonation properties, the Analyst Service properties, environment variables, and permissions.
To increase security, create operating system profiles to divide users into specific groups. Each group is defined by the operating system profile and the configured operating system user. The groups manage mapping runs and control access to directories by specifying permissions for the operating system user in each operating system profile. The operating system user has read and write permissions to certain controlled directories. The operating system profile configuration must adequately control the directories where users have read and write permissions in order to mitigate security attacks that can result due to directory traversal. For example, if the operating system profile does not properly assign directory permissions, certain users can access files in unassigned directories.
When you configure the Data Integration Service to use operating system profiles, the Data Integration Service runs jobs with the permissions of the operating system user that you define in the operating system profile. The operating system user must have access to the directories you configure in the profile and the directories the Data Integration Service accesses at run time.
By default, the Data Integration Service process runs all jobs, mappings, and workflows using the permissions of the operating system user that starts Informatica Services. The jobs have access only to the directories where the operating system user has read and write permissions. The Data Integration Service writes output files to a single shared location specified in the Data Integration Service execution options.
Before you run a mapping with a Lookup transformation, Sqoop source, or Sqoop target in the Hadoop run-time environment, verify that the operating system user has read, write, and execute permissions on the following directory:
<Informatica installation directory>/tomcat/temp/<Data Integration Service name>/temp
Note: If the Analyst Service and the Data Integration Service run on different nodes, the operating system profiles must be configured for both nodes.
Operating System Profile Example
An I.T. organization has some developers that work with sensitive data from Human Resources. The organization needs to restrict other developers in the organization from accessing any HR file or directory that the HR developers own.
The organization enables operating system profiles to limit access to data. Each developer group has an operating system profile. The developers in the HR operating system profile can read and write data in the restricted directories on the UNIX machine.
Operating System Profile Components
Configure the following components in an operating system profile:
- •Operating system user name. Specify an operating system user that exists on the system where the Data Integration Service runs. The Data Integration Service uses the system permissions of this operating system user to run mappings, workflows, and profiling jobs.
- •Service process variables. Configure service process variables in the operating system profile to specify different output file locations based on the operating system profile that is assigned to the user or group.
- •Hadoop impersonation properties. Configure the Data Integration Service to use a Hadoop impersonation user to run mappings, workflows, and profiles in a Hadoop environment.
- •Environment variables. Configure environment variables that the Data Integration Services uses at run time.
- •Analyst service properties. Configure the flat file cache directory for the Analyst tool to store uploaded flat files.
- •Permissions. Configure permissions for users and groups to use operating system profiles.
Configuring the Data Integration Service to Use Operating System Profiles
Configure the Data Integration Service to run mappings, workflows, and profiling jobs with operating system profiles.
The operating system user you define in the operating system profile must have access to the directories you configure in the operating system profile and to the directories the Data Integration Service accesses at run time. For example, pmsuid is a tool that the DTM process, command tasks, and parameter files use to switch between operating system users. You must provide permissions to operating system users to run pmsuid with the permissions of the Data Integration Service administrator user.
Note: If you enable the Data Integration Service to use operating system profiles, you cannot enable cache connection, the SQL Service Module, and the Web Service Module.
Complete the following steps to configure the Data Integration Service to use operating system profiles:
1. Configure system permissions on the files and directories that the operating system profile user needs access at run time.
2. In the Administrator tool, enable the Data Integration Service to use operating system profiles.
3. On the Security page of the Administrator tool, create operating system profiles.
For more information on creating and managing operating system profiles, see the Informatica Security Guide.
Configuring System Permissions for the Operating System Profile Users
Configure system permissions on the files and directories that operating system profile users must access at run time.
1. Make sure that the operating system user that starts the Informatica services has sudo permission.
2. On UNIX or Linux, verify that setuid is enabled on the file system that contains the Informatica installation.
If necessary, remount the file system with setuid enabled.
3. Make sure that all the library files in the following directory have at least 755 permissions:
<Informatica installation directory>/services/shared/bin
4. Make sure that the operating system profile users have 777 permissions on the $DISTempDir directory and at least 750 permissions on the $DISLogDir directory.
5. Make sure that the operating system profile users have at least 755 permissions to the directory where the pmsuid file is located and all its parent directories.
The pmsuid file is located in the following directory:
<Informatica installation directory>/services/shared/bin
6. Set the owner and group of pmsuid to root and set the permissions. Perform the following steps on each node where the Data Integration Service runs:
- a. At the command prompt, switch to the following directory:
<Informatica installation directory>/services/shared/bin
- b. Enter the following information at the command line to log in as root:
su root
- c. Enter the following command to create a group for the administrator user:
sudo groupadd <group name>
- d. Enter the following command to add the administrator user to the group:
sudo usermod -G <group name> <Informatica administrator user>
The administrator user is the Linux user whose permissions are used for all Informatica services.
- e. Enter the following command to change the owner and group of pmsuid to root and the group that you created:
chown root:<group name> pmsuid
- f. Set the following permissions:
chmod 6710 pmsuid
- g. Verify that the permissions for the pmsuid file appear as follows:
rws--s---
7. Set the umask value of the directories that the operating system profile accesses to 0027 or 0077 for better security.
When you create these directories on UNIX or Linux, the default umask value is set to 0222.
Enabling the Data Integration Service to Use Operating System Profiles
After you configure system permissions for the operating system profile users, enable the Data Integration Service to use operating system profiles.
1. In the Administrator tool, click the Manage tab > Services and Nodes view.
2. In the Domain Navigator, select the Data Integration Service.
3. In the Properties view of the Data Integration Service, click Edit Execution Options.
4. Select Use Operating System Profiles and Impersonation.
A warning message appears that cache connection, the SQL Service Module, and the Web Service Module are not available when the Data Integration Service uses operating system profiles.
5. Restart the Data Integration Service to apply the changes.
Troubleshooting Operating System Profiles
Consider the following troubleshooting tips when you configure the Data Integration Service to use operating system profiles:
- After I configured the Data Integration Service to use operating system profiles, the Data Integration Service failed to start.
The Data Integration Service will not start if operating system profiles is enabled on Windows or a grid that includes a Windows node. You can enable operating system profiles on Data Integration Services that run on UNIX or Linux.
Or, pmsuid was not configured. To use operating system profiles, you must set the owner and group of pmsuidto administrator and enable the setuid bit for pmsuid.