How Tickets Work

Describes how tickets enable secure communication between the client and the server.

When an authenticated user runs a client, the client uses that user's ticket to communicate securely with the server. After Enabling Wire-level Security, supported communications channels between client and server are encrypted.

Nodes use tickets to identify themselves to one another in order to prevent spoofing, a condition where an untrusted machine presents itself as a trusted machine to gain access to the cluster.

IMPORTANT: When you submit a job to the JobTracker with a valid ticket for the local cluster, that job completes even if the job runs longer than the ticket's lifetime. Ticket expiration does not stop a running job unless the job accesses a remote cluster during its execution. The JobTracker can only generate tickets for the local cluster.

Components that submit jobs individually, such as Oozie or HiveServer2, cannot generate valid tickets for remote clusters. Jobs submitted by such components for remote clusters will fail if the remote clusters have security features enabled.

User Blacklisting

System administrators can use the command line interface to blacklist a user. A blacklist command invalidates all of a user's tickets. Once a blacklist command is received by the CLDB, the name of the blacklisted user is sent to all FileServer nodes, which reject any request sent by that user that has a ticket older than the blacklist's time stamp. Due to the nature of this check, there is no explicit removal of a blacklist. Issuing a new ticket with a time stamp more recent than the blacklist's time stamp implicitly removes the user from the blacklist. To permanently prevent a user from logging in again, revoke the user's credentials in the PAM registry.

What Blacklisting Affects

A blacklisted user cannot access the MapR file system or the CLDB, but since blacklisting only revokes a user's existing valid tickets, be aware of the following interactions:

  • Blacklisting has no effect on Oozie's cached credentials in ~/.oozie-auth-token, and has no effect on Oozie in general, even after a restart.
  • The JobTracker needs a restart to pick up blacklisting-related changes.
  • Blacklisting does not affect a new authentication with user ID and password or with existing Kerberos credentials.
  • Since NFS does not use MapR tickets, blacklisting does not affect NFS access.
  • Blacklisted users can still be impersonated as impersonation does not check whether a user is blacklisted or not.