Mirror Volumes and Secure Clusters

Describes how to configure security for  the source and destination clusters of a mirror.

Verifying Security Between Clusters

Warning: Secure Mirroring is only supported in release 3.1.1 and later of the MapR Converged Data Platform.

For background on what a mirror volume is and how to use mirror volumes in general, see Working with Mirror Volumes.

The clusters that will serve as source and destination for the secured mirror need to establish a trust relationship. To begin, the source cluster's administrative user defines a user known as the cluster mirror user. The cluster mirror user needs a ticket in order to permit the mirror to pull data from the source volume.

To establish security for the cluster mirror user between the source and destination clusters, perform these steps from any node in the source cluster:

  1. Merge the ssl_truststore files so you can manage all the source clusters from a single destination cluster and generate a cross-cluster ticket. See Running Commands on Remote Secure Clusters from a Single Secure Cluster.
  2. As the source cluster’s administrative user, generate a ticket for the cluster mirror user:
    # maprcli security getmaprclusterticket -clusterusername <user-name> 
        -inmaprserverticketfile </opt/mapr/conf/maprserverticket>
        -ticketfile </opt/mapr/conf/maprclusterticket>
    Note: This ticket does not expire, unlike standard user tickets on secure MapR clusters.
    As an alternative, the destination cluster's administrative user can generate a cross-cluster ticket for the cluster mirror user using the maprlogin utility as shown:
    maprlogin generateticket -type crosscluster -clusteruser <cluster_mirror_user> 
    -duration <initial_ticket_lifetime> 
    -renewal <maximum_ticket_lifetime> -out <path_to_ticket>
  3. As the administrative user on the destination cluster, append the cross-cluster ticket file to the destination cluster’s CLDB key store file at /opt/mapr/conf/maprserverticket, using the source cluster’s name as the key. Perform this operation on all CLDB nodes on the destination cluster.
  4. On every node with the CLDB or webserver roles on the destination cluster, add an entry for the source cluster and the source cluster’s CLDB nodes to the mapr-clusters.conf file.
    Once the two clusters establish mutual trust, you can generate remote mirror volumes as normal.
    Note: Local mirror volumes do not require any additional configuration if the cluster already has security features enabled.

Secure Mirror Volumes and Blacklisted Users

  1. To blacklist a mirror user on a secure cluster with mirror volumes, stop any existing mirroring operations.
    Blacklisting a user on the source cluster for the mirror volume fails when the mirroring is active.
  2. After blacklisting the user, remove the existing ticket for the blacklisted mirror user on both clusters, then reestablish the trust relationship between the two clusters as described in the previous section, Verifying Security Between Clusters.