In Streams 4.x, there are a couple of security enhancements relating to Streams jobs and their corresponding PE processes. The first enhancement is the ability to have all jobs within a Streams instance run as a configured user, rather than the default of running the jobs under the user that started the domain and instance. This can be very useful in many scenarios such as applications that require special OS privileges, or even scenarios where you want to have the Streams jobs run as a user with reduced privileges. To take advantage of this new support, there are a few domain and instance management setup rules that need to be followed.
Note: In Streams v4, streamtool commands require a ZooKeeper connection string parameter as well, but these examples assume the STREAMS_ZKCONNECT environment variable was set accordingly. The same can be done for the domain name by setting the STREAMS_DOMAIN_ID environment variable.
To run Streams jobs and PEs with these advanced security settings, Streams Domain Controller services must be run as system services. Follow these steps:
streamtool registerdomainhost -d <domain_name>
This sets up your Streams domain controller as a system service. Additional details for setting up an enterprise production domain with high availability can be found here. This step can optionally be performed after step 3, with the only restriction being it must be performed before the domain is started.
streamtool mkdomain -d <domain_name>
"streamtool adduserdomainrole -d <domain_name> DomainUser <user_name>"
"streamtool start domain"
"streamtool getdomainstate –long"
By default, when a job is submitted, the processes are run using the Instance Owner credential. Follow the these steps to configure the instance to run jobs as a different user:
streamtool mkinstance -i myinst --property instance.runAsUser=myinstuser
Setting the instance.runAsUser property to the user you wish to use for running Streams jobs. Additional properties and resource definitions will typically need to be added to the mkinstance command. In Streams 184.108.40.206, the instance.runAsUser user must be in the primary group of the domain owner. In 220.127.116.11 and later, any user can be specified as long as they have access to the installation image.
streamtool start instance
ps aux | grep streams-sam
A second security enhancement that was changed in Streams 4.0.0 and beyond, is how an administrator and developer tag team to provide the ability for operators within a Streams application to run with special operating system capabilities. Using special capabilities can be necessary in cases where a Streams application needs to access a protected system resource, for example a network adapter. To enable this support for an operator with a Streams job, you need to do the following:
streamtool mkinstance -i myinst --property instance.canSetPeOSCapabilities=true