Tickets and Certificates

Describes how tickets and certificates authenticate users and servers to a cluster.

MapR implements security features that use tickets and certificates. Tickets contain keys, and are used to authenticate users and MapR servers. Certificates are used to implement SSL encryption and server authentication. Every user who wants to access a cluster must have a MapR user ticket (maprticket_<uid>) and every node in the cluster must have a MapR server ticket (maprserverticket).

A ticket is an object that contains specific information about a user and a key. A ticket authenticates a user to the cluster. Tickets are encrypted to protect their contents. MapR supports three types of tickets that can be used for authentication:

  • MapR user tickets
  • MapR service tickets
  • Kerberos tickets

The identity of the user that authenticates with the maprlogin utility is independent from the identity of the user of the client OS.

MapR tickets contain the following information:

  • UID (generated from the UNIX user ID)
  • GIDs (group IDs for each group the user belongs to)
  • ticket creation time
  • ticket expiration time (initial duration of the ticket)
  • renewal expiration time (maximum lifetime of the ticket)

Note that, because a ticket contains the GIDs for a user at the time the ticket is generated, a user must re-generate their ticket after changing group memberships.

For complete syntax, see The maprlogin Utility.