MapR 5.2 is at End of Life (EOL) and no longer supported. Please see the latest documentation. This documentation is not being updated.

Home
5.2 Cluster Administration
This section contains information on administering the cluster and MapR-DB, configuring Gateways, and configuring and managing particular aspects of the MapR security infrastructure.
Configuring Security
Describes tasks for configuring MapR security, managing secure clusters, and administering auditing.
Configuring Mapr Security
Provides usage information for frequently used security functionality including Access Control Lists (ACLs), Access Control Expressions (ACEs), file permissions, and subnet whitelisting.
Authenticating Users
Provides information about MapR ticket, Kerberos, Pluggable Authentication Module (PAM) authentication.
Tickets
Introduces authenticate using tickets for users and MapR servers.
Generating a Service with Impersonation Ticket
Describes how to generate and manage impersonation tickets.

MapR 5.2 Documentation

5.2 Cluster Administration
This section contains information on administering the cluster and MapR-DB, configuring Gateways, and configuring and managing particular aspects of the MapR security infrastructure.
- Administering the Cluster
  This section describes how to manage the nodes and services that make up a cluster.
- Monitoring the Cluster
  This section describes how to monitor the health and performance of a MapR cluster.
- Configuring and Managing MapR Gateways
  A MapR gateway mediates one-way communication between a source MapR cluster and a destination cluster. MapR-DB tables and MapR Streams streams can be replicated.
- Administering MapR-DB
  Administration of the MapR-DB is done primarily via the commmand line (maprcli) or with the MapR Control System (MCS). Regardless of whether the MapR-DB table is used for binary files or JSON documents, the same types of commands are used with slightly different parameter options. MapR-DB administration is associated with tables, columns and column families, and table regions.
- Configuring Security
  Describes tasks for configuring MapR security, managing secure clusters, and administering auditing.
  - Configuring Mapr Security
    Provides usage information for frequently used security functionality including Access Control Lists (ACLs), Access Control Expressions (ACEs), file permissions, and subnet whitelisting.
    - Getting Started with MapR Security
      Describes two core scenarios that allow quick implementation of security features.
    - Managing Encryption for MapR Core
      Provides information that allows you to use encryption across the MapR platform.
    - Authenticating Users
      Provides information about MapR ticket, Kerberos, Pluggable Authentication Module (PAM) authentication.
      - Tickets
        Introduces authenticate using tickets for users and MapR servers.
        How Tickets Work
        Describes how tickets enable secure communication between the client and the server.
        Generating a MapR User Ticket
        Describes how to generate a user ticket and use it in a typical work flow.
        Generating a Service Ticket
        Describes how to use a service ticket to run services outside the cluster.
        Generating a Service with Impersonation Ticket
        Describes how to generate and manage impersonation tickets.
        Generating a MapR Ticket from a Kerberos Ticket
        Provides instructions on how to use a Kerberos ticket to generate a MapR ticket.
        MapR Tickets and PAM
        Describes how to configure PAM.
        maprlogin Command Syntax
        Describes the different arguements and options for the maprlogin command line tool.
      - Configuring Kerberos
        Describes how Kerberos works with MapR tickets.
      - Configuring PAM
        Describes how PAM works with MapR.
    - Managing Access Controls
      Describes how to create, enable, and use ACLs and ACEs.
    - Managing Impersonation
      Provides instructions for enabling and using MapR impersonation features.
  - Managing Secure Clusters
    Provides procedures that will enable you to run use MapR clusters securely.
  - Managing Auditing
    Provides instructions for using MapR auditing features.
- Administrator's Reference
  This section contains in-depth reference information for the administrator.
- Glossary
  This section contains defintions for commonly used terms in MapR Converged Data Platform environments.

Generating a Service with Impersonation Ticket

Describes how to generate and manage impersonation tickets.

Impersonation allows a user to access data and submit jobs on behalf of another user. You may want to allow users, other than the mapr user, to impersonate other users. You can use the maprlogin utility to generate a "servicewithimpersonation ticket" that can be used to access a secure cluster impersonating another user. That is, the servicewithimpersonation ticket provides the user the ability to impersonate other users (except the mapr user) in addition to the ability to access a secure cluster. This type of ticket can only be generated by a user with full control on a cluster's Access Control List (ACL).

If this type of ticket is generated and saved in the location specified with the -out option, after generating the ticket, do the following:

Reset the permissions on the ticket to grant the user, for whom the ticket was generated, read permissions on the ticket.
Set the MAPR_TICKETFILE_LOCATION environmental variable to point to the ticket file location specified with the -out option if the path specified with the -out option was not /tmp/maprticket_<uid>.

This type of ticket, similar to a service ticket, has a specified duration (expiration), a renewal period (maximum lifetime), and a location where the ticket is safely stored. It grants the specified user the ability to impersonate other users, except the mapr user.

The default duration for this type of ticket is LIFETIME and the duration is not bounded by the CLDB duration properties. Short duration and renewal values may be used for security reasons, but much longer lifetimes are supported for ease of administration.

For example:

# maprlogin generateticket -type servicewithimpersonation -user mapruser1 -out /var/tmp/impersonation_ticket -duration 30:0:0 -renewal 90:0:0

The above command generates a service with impersonation ticket that expires after 30 days and is stored in /var/tmp/impersonation_ticket. The ticket may be renewed at any time before the 30 days pass and can be extended up to a maximum of 90 days. The ticket must be renewed explicitly before its expiration date; it does not renew automatically when it expires.