Generating an Impersonation Ticket with Ticket Generation Privileges

Describes a ticket option that allows some ticket holders to generate tickets subject to their impersonation authority.

Cases exist where an arbitrary process started by another process needs a ticket for a particular user. Before release 7.0.0, such tickets could be created by users with cluster-level “Full Control” capability. For example, in release 6.2.0, we can give the fc privilege to user m7server1:

# maprcli acl set -type cluster -user root:login,ss,cv,a,fc,cp \ 
    mapr:login,ss,cv,a,fc,cp m7server1:login,fc 
# maprcli acl show -type cluster 
Allowed actions             Principal        
[login, ss, cv, a, fc, cp]  User root        
[login, ss, cv, a, fc, cp]  User mapr        
[login, ss, cv, fc]         User m7server1

With the fc privilege, the m7server1 user can create tickets for any user:

[m7server1@m2-mapreng-vm166251 ~]$ maprlogin generateticket -user m7user1 -type service -out m7user1ticket.out 
MapR credentials of user 'm7user1' for cluster 'fips1.cluster.com' are written to 'm7user1ticket.out'

Although this meets the literal requirement, the “Full Control” capability is far too powerful, since the ability to create tickets is unrelated to cluster-level “Full Control” capability.

Release 7.0.0 enhanced the maprlogin generateticket command to allow the generation of a new type of ticket called servicewithimpersonationandticket:

# maprlogin generateticket 
The -user parameter is required. Specify the user name of the service identity. 
generateticket 
-type service|crosscluster|servicewithimpersonation|servicewithimpersonationandticket|tenant 
-user UNIX user name of service identity. 
[ -clusters comma seperated list of clusters OR 'all' for all clusters present in mapr-clusters.conf] 
[ -cluster mapr cluster name ] 
-out ticket location 
[ -duration [Days:]Hours:Minutes OR -duration Seconds.default: cluster's ticket duration setting ] 
[ -renewal [Days:]Hours:Minutes OR -duration Seconds.default: cluster's ticket duration setting ] 
[-ips comma separated list of ips on which ticket should be valid] 
[-impersonateduids comma separated list of uids for impersonation] 
[-impersonatedgids comma separated list of gids for impersonation]

In addition to users with cluster-level “Full Control” capability being able to generate tickets, holders of tickets of the type servicewithimpersonationandticket can also generate tickets subject to their impersonation authority. Therefore, for users without cluster-level “Full Control” capability, ticket generation is allowed if the caller holds a ticket with CanImpersonate = true and

CanGenerateTicket =
        true

, and either of the following conditions is true:

The ticket is not a scoped impersonation ticket. No impersonatedUids or impersonatedGids ID references are in the ticket. Below is an example of how to generate an unscoped impersonation ticket with ticket-generation permission for user m7server2:

# maprlogin generateticket -type servicewithimpersonationandticket \ 
      -user m7server2 -out m7server2ticket.out 
MapR credentials of user 'm7server2' for cluster 'fips1.cluster.com' are written to 'm7server2ticket.out' 
# maprlogin print -ticketfile m7server2ticket.out  
Opening keyfile m7server2ticket.out 
fips1.cluster.com: user = m7server2, created = 'Tue Jan 04 18:00:38 PST 2022', expires = 'Tue Jan 04 18:00:38 PST 12022', RenewalTill = 'Tue Jan 04 18:00:38 PST 12 
022', uid = 5004, gids = 5005, CanImpersonate = true, CanGenerateTicket = true, isExternal = true

If the ticket is a scoped impersonation ticket, the caller is allowed to generate a ticket for the target user if either of the following is true:
- The target user UID is in the list of impersonated UIDs.
- At least one group that the target user belongs to is in the list of impersonated GIDs.

Below is an example of how to generate a scoped impersonation ticket with ticket-generation permission for user m7user2:

# maprlogin generateticket -type servicewithimpersonationandticket -user m7server2 -out m7server2ticket-imp.out -impersonateduids 5001 -impersonatedgids 5003 
[root@m2-mapreng-vm166251 ~]# maprlogin print -ticketfile m7server2ticket-imp.out  
Opening keyfile m7server2ticket-imp.out 
fips1.cluster.com: user = m7server2, created = 'Thu Jan 06 00:15:47 PST 2022', expires = 'Thu Jan 06 00:15:47 PST 12022', RenewalTill = 'Thu Jan 06 00:15:47 PST 12022', uid = 5004, gids = 5005, CanImpersonate = true, CanGenerateTicket = true, isExternal = true, impersonatedUids = 5001,, impersonatedGids = 5003,

User m7server2 is allowed to generate tickets for user m7user1 (UID 5001, GID 5002) because its UID is within the list of impersonatedUids for this ticket:

[m7server2@m2-mapreng-vm166251 ~]$ export MAPR_TICKETFILE_LOCATION=/home/m7server2/m7server2ticket.out  
[m7server2@m2-mapreng-vm166251 ~]$ maprlogin generateticket -user m7user1 -type service -out m7user1ticket.out 
MapR credentials of user 'm7user1' for cluster 'fips1.cluster.com' are written to 'm7user1ticket.out'

The user m7server2 also is allowed to generate tickets for user m7user2 (UID 5002, GID 5003) because the GID for m7user2 is within the list of impersonatedGid for this ticket:

[m7server2@m2-mapreng-vm166251 ~]$ export MAPR_TICKETFILE_LOCATION=/home/m7server2/m7server2ticket.out  
[m7server2@m2-mapreng-vm166251 ~]$ maprlogin generateticket -user m7user2 -type service -out m7user2ticket.out 
MapR credentials of user 'm7user2' for cluster 'fips1.cluster.com' are written to 'm7user2ticket.out'

User m7server2 is not allowed to generate tickets for user m7user3 (UID 5005, GID 5006) since m7user3 UID (5005) is not in the list of impersonatedUids for this ticket. Neither is its GID (5006) in the list of impersonatedGids:

[m7server2@m2-mapreng-vm166251 ~]$ maprlogin generateticket \ 
 -user m7user3 -type service -out m7user3ticket.out 
User m7server2 does not have permission to impersonate user m7user3(UID: 5005), and cannot generate ticket