Security Guide · Version 1.4.0 · October 2016
Copyright © 2015, 2016 Oracle and/or its affiliates. All rights reserved.
You should use OS file permissions to restrict user access to BDD files. You can control permissions with chmod, umask, or a similar utility.
The bdd user requires read, write, and occasionally execute permissions for all BDD files and directories, as well as the Dgraph databases. You can give other users access to these as well, but you should make sure they can be trusted and be careful about the specific permissions you grant them.
Additionally, you should take special care with the following BDD utilities.
The bdd-admin script is used to perform administrative tasks, such as starting and stopping BDD components and updating your cluster's configuration. It's located in $BDD_HOME/BDD_manager/bin on all BDD nodes. However, it can only be run from the Admin Server and must therefore be run by a user that has passwordless sudo enabled on all nodes in the BDD cluster.
By default, bdd-admin can only be run by the bdd user. Oracle strongly advises against enabling other users to run it, as doing so would greatly increase the risk of an intruder gaining access to your data.
More information about the bdd-admin script is available in the Administrator's Guide.
The DP CLI utility is used to launch Data Processing workflows, either manually or via cron job. By default, it can only be run by the bdd user; however, you can give other users permission to run it as well. Be aware, though, that doing so would give those users greater access to your data as well as control over the specific data available to BDD. You should therefore be cautious about which users you grant access to it.
You should also restrict access to the DP CLI's whitelist and blacklist, which are located in $BDD_HOME/dataprocessing/edp_cli/config/. These files control which Hive tables the DP CLI processes. For more information, see Data set whitelists and blacklists.
More information on the DP CLI and its whitelist and blacklist is available in the Data Processing Guide.
The BDD Shell is a programming shell used to explore the internals of BDD, interact with Hadoop, and analyze data. It's an optional component that must be installed separately from the rest of BDD.
The BDD Shell can only be used by the bdd user and members of a specific OS group that you define when you install it. You can later add other users to the BDD Shell group, but you should ensure that they are trusted and be careful about which permissions you grant them.
More information about the BDD Shell can be found in the BDD Shell Guide.
Security Guide · Version 1.4.0 · October 2016
Copyright © 2015, 2016 Oracle and/or its affiliates. All rights reserved.