Spotfire® Service for R Installation and Administration

Limiting exposure of your deployment

The Spotfire Service for R is installed on a Spotfire Server node running under Linux or Windows. The Linux installation provides the option of running the Spotfire Service for R in a containerization platform.

When you install the Spotfire Service for R and run the R engine, you can take steps to protect the server deployment, to minimize the risk of unauthorized access, and to minimize the possibility of malicious acts.

Statistical engines such as R provide functions to access data and packages on the internet. Additionally, they have functions that access the host computer system, such as those for executing system commands, and those for reading and writing files. By their very design, these languages can expose computer systems to risk from bad actors, unless the deployer takes steps to secure the environments in which they run. We strongly recommend reviewing and implementing the practices described here.

Note: The Spotfire Service for R installed on a Spotfire Server node running under Windows does not have a containerized installation available.

Restricting user access

  • Run the Spotfire Service for R using an account that limits network access to required external data sources and services only. (Note that taking this step can limit availability to data and package updates.)
  • Always run the node manager containing the Spotfire Service for R as a non-root user. (That is, not as root or under an Administrative account.)
    Note: By default, packages are installed in your user directory, rather than a location accessible to all data functions. To avoid this problem, if you must install packages manually, do one of the following:
    • Before starting R to install packages, manually create the site-library directory. If this directory is present, R installs packages into this directory.
    • In your call to install.packages, specify the correct package path. For more information, see Installing R Packages Manually.
  • If you are running a system where other servers have access to computers running the Spotfire Service for R, disable passwordless access between the server and other servers.

Configuring for tighter engine control

  • ​​If your deployment is on a Linux server, then the default configuration for the Spotfire Service for R is to use containers (the property use.engine.containers: TRUE). Running the Spotfire Service for R with containers enabled prevents the engines from having access to the host system. See Containerized Service for more information.
    Note: Docker is available under separate software license terms and is not part of the Spotfire Server or the Spotfire Service for R. As such, Docker is not within the scope of your license for Spotfire Server or the Spotfire Service for R. Docker is not supported, maintained, or warranted in any way by Cloud Software Group, Inc. Download and use of Docker is solely at your own discretion and subject to license terms applicable to Docker.
Copyright © 2017-2024 Cloud Software Group, Inc. All rights reserved.