Managing Tickets
Introduces authentication using tickets for users and MapR servers.
MapR implements authentication with tickets. Tickets contain keys, and are used to
authenticate users and MapR servers. In addition, certificates are used to implement
server authentication. Every user who wants to access a cluster must have a MapR user ticket
(maprticket_<uid>
) and every node in the cluster must have a MapR
server ticket (maprserverticket
).
A ticket is an object that contains specific information about a user and a key. A ticket authenticates a user to the cluster. Tickets are encrypted to protect their contents. MapR supports the following types of tickets for authentication:
- MapR user tickets
- MapR service tickets
- MapR tenant tickets
- Kerberos tickets
The following table describes the type of tickets supported by MapR for users and services
and whether the ticket can be used to impersonate another user. Only the cluster administrator
can generate all these tickets, except the user ticket, using the maprlogin
utility; any valid user can generate the user
ticket using the maprlogin
utility. You can place
these type of tickets on both cluster and client nodes. These tickets support (FUSE-based and
loopbacknfs) POSIX clients and HDFS APIs.
Ticket Type | Description | Impersonation support | Notes |
---|---|---|---|
user | For granting access to individual users. This type of ticket has a short duration. | N/A* | The UID of the ticket (implicit or explicit value of the -user
parameter to maprlogin command) is used as the identity of the entity
using this ticket, except for the exceptions noted here for user root and user mapr. |
service | For accessing services running on client nodes. This type of ticket can have long duration. | N/A* | The UID of the ticket (explicit value of the -user parameter to
maprlogin command) is used as the identity of the entity using this
ticket, except for the exceptions noted here
for user root and user mapr. |
servicewithimpersonation (not scoped) | For accessing services running on client nodes to run jobs on behalf of any user (except user mapr). This type of ticket can have long duration. | Yes | The ticket cannot be used to impersonate user root or user mapr. |
servicewithimpersonation (scoped) | For accessing services running on client nodes to run jobs on behalf of the users (except user root and user mapr) specified in the ticket. This type of ticket can have long duration. | Yes | At ticket generation time, you cannot specify UID/GID of user root or user mapr to impersonate user root or user mapr respectively. |
- User mapr can impersonate other users (including user root)
- User root can impersonate other users (excluding user mapr)
maprlogin
utility is independent from the identity of the user of the
client OS.MapR tickets contain the following information:
- UID (generated from the UNIX user ID)
- GIDs (group IDs for each group the user belongs to)
- ticket creation time
- ticket expiration time (initial duration of the ticket)
- renewal expiration time (maximum lifetime of the ticket)
- Whether user can (true) or cannot (false) impersonate another user
Since a ticket contains the GIDs for a user at the time the ticket is generated, a user must re-generate their ticket after changing group memberships.
Syntax and Examples of Creating and Managing User Tickets
For complete syntax, see The maprlogin Utility. For examples of creating and managing user tickets, see maprlogin Command Examples.