How Tickets Work

When an authenticated user runs a client, the client uses that user's ticket to communicate securely with the server. After enabling security features, supported communications channels between client and server are encrypted. For more information, see Enabling and Disabling Security Features on Your Cluster

Nodes use tickets to identify themselves to one another in order to prevent spoofing, a condition where an untrusted machine presents itself as a trusted machine to gain access to the cluster.

WARNING:

When you submit a job to the JobTracker with a valid ticket for the local cluster, that job completes even if the job runs longer than the ticket's lifetime. Ticket expiration does not stop a running job unless the job accesses a remote cluster during its execution. The JobTracker can only generate tickets for the local cluster.

Components that submit jobs individually, such as Oozie or HiveServer2, cannot generate valid tickets for remote clusters. Jobs submitted by such components for remote clusters will fail if the remote clusters have security features enabled.

User Blacklisting

System administrators can use the command line interface to blacklist a user. A blacklist command invalidates all of a user's tickets. Once a blacklist command is received by the CLDB, the name of the blacklisted user is sent to all FileServer nodes, which reject any request sent by that user that has a ticket older than the blacklist's time stamp. Due to the nature of this check, there is no explicit removal of a blacklist. Issuing a new ticket with a time stamp more recent than the blacklist's time stamp implicitly removes the user from the blacklist. To permanently prevent a user from logging in again, revoke the user's credentials in the PAM registry.

What Blacklisting Affects

A blacklisted user cannot access the MapR file system or the CLDB, but since blacklisting only revokes a user's existing valid tickets, be aware of the following interactions:

  • Blacklisting has no effect on Oozie's cached credentials in ~/.oozie-auth-token, and has no effect on Oozie in general, even after a restart.
  • The JobTracker needs a restart to pick up blacklisting-related changes.
  • Blacklisting does not affect a new authentication with user ID and password or with existing Kerberos credentials.
  • Since NFS does not use MapR tickets, blacklisting does not affect NFS access.