Data Collector Shell Impersonation Mode

Enable the Data Collector shell impersonation mode to enable the secure use of shell scripts. You enable the impersonation mode by configuring the shell impersonation mode property in the Data Collector configuration fileconfiguration properties. Enabling the impersonation mode is not required, but strongly recommended. You can also configure related shell and sudo properties as needed.

The Shell executor runs a user-defined shell script each time the stage receives an event. By default, Data Collector executes the script as the operating system user who starts Data Collector. Thus, using the default configuration means that the shell script can stop Data Collector as well as any other tasks the user has the rights to perform.

When you enable shell impersonation mode, the scripts are executed by the user who starts the pipeline. To use this option, the Data Collector user who starts the pipeline must have a corresponding operating system user account, and sudo must be configured to allow passwordless use. For greater security, you can also limit the permissions for the operating system user account to restrict its access.

To configure Data Collector to use the shell impersonation mode, perform the following steps:
  1. For each user who starts Shell executor pipelines, create a matching user account in the operating system and configure permissions as needed.

    For example, if Data Collector users Ops1 and Ops2 start all pipelines, create Ops1 and Ops2 user accounts in the operating system and grant them limited permissions.

  2. Ensure that the each of the operating system users has passwordless sudo for Data Collector.
  3. In the Data Collector configuration fileIn Control Hub, edit the deployment. In the Configure Engine section, click Advanced Configuration. Then, click Data Collector Configuration. Then, uncomment the following property:
    stage.conf_com.streamsets.pipeline.stage.executor.shell.impersonation_mode=CURRENT_USER
  4. Restart Data Collector.
  5. Save the changes to the deployment and restart all engine instances.

For more information, see Configuring Data CollectorFor more information, see Configuring Data Collector in the Data Collector documentation.