Operating System Profiles for the Metadata Access Service

Operating System Profile Components

• •Operating system user name. Specify an operating system user that exists on the system where the Metadata Access Service runs. The Metadata Access Service uses the system permissions of this operating system user to import and preview metadata from a Hadoop cluster.
• •Hadoop impersonation properties. Configure the Metadata Access Service to use a Hadoop impersonation user to import and preview metadata from a Hadoop cluster.
• •Permissions. Configure permissions for users and groups to use operating system profiles.

Configuring the Metadata Access Service to Use Operating System Profiles

1. Configure system permissions on the files and directories that the operating system profile user needs access at design time.
2. In the Administrator tool, enable the Metadata Access Service to use operating system profiles.
3. On the Security page of the Administrator tool, create operating system profiles.
For more information on creating and managing operating system profiles, see the Informatica Security Guide.

Configuring System Permissions for the Operating System Profile User

1. Make sure that the operating system user that starts the Informatica services has sudo permission.
2. On Linux, verify that setuid is enabled on the file system that contains the Informatica installation.
If necessary, remount the file system with setuid enabled.
3. Make sure that all the library files in the following directory have at least 755 permissions:
<Informatica installation directory>/services/shared/bin
4. Make sure that the operating system profile users have 777 permissions on the $DISTempDir directory and at least 750 permissions on the $DISLogDir directory.
5. Make sure that the operating system profile users have at least 755 permissions to the directory where the pmsuid file is located and all its parent directories.
The pmsuid file is located in the following directory:
<Informatica installation directory>/services/shared/bin
6. Set the owner and group of pmsuid to root and set the permissions. Perform the following steps on each node where the Metadata Access Service runs:
1. a. At the command prompt, switch to the following directory:
<Informatica installation directory>/services/shared/bin
2. b. Enter the following information at the command line to log in as root:
su root
3. c. Enter the following command to create a group for the administrator user:
sudo groupadd <group name>
4. d. Enter the following command to add the administrator user to the group:
sudo usermod -G <group name> <Informatica administrator user>
The administrator user is the Linux user whose permissions are used for all Informatica services.
5. e. Enter the following command to change the owner and group of pmsuid to root and the group that you created:
chown root:<group name> pmsuid
6. f. Set the following permissions:
chmod 6710 pmsuid
7. g. Verify that the permissions for the pmsuid file appear as follows:
rws--s---
7. Set the umask value of the directories that the operating system profile accesses to 0027 or 0077 for better security.
When you create these directories on Linux, the default umask value is set to 0222.

Enabling the Metadata Access Service to Use Operating System Profiles

1. In the Administrator tool, click the Manage tab > Services and Nodes view.
2. In the Domain Navigator, select the Metadata Access Service.
3. In the Properties view of the Metadata Access Service, click Edit Execution Options.
4. Select Use Operating System Profiles and Impersonation.
A warning message appears that cache connection, the SQL Service Module, and the Web Service Module are not available when the Metadata Access Service uses operating system profiles.
5. Restart the Metadata Access Service to apply the changes.