Authentication in MapR

Robust MapR authentication prevents third parties from representing themselves as legitimate users.

Authentication ensures that the identity of the end user or system (call principal) is known reliably in a network safe way. The core component of user authentication in MapR is the ticket. A ticket is an object that contains specific information about a user, an expiration time, and a key. Tickets uniquely identify a user and are encrypted to protect their contents. Tickets are used to establish sessions between a user and the cluster.

MapR supports two methods of authenticating a user and generating a ticket: a username/password pair and Kerberos. Both of these methods are mediated by the maprlogin Command Syntax utility. When you authenticate with a username/password pair, the system verifies credentials using Pluggable Authentication Modules (PAM). You can configure the cluster to use any registry that has a PAM module.

MapR tickets contain the following information:

  • UID (generated from the UNIX user ID)
  • GIDs (group IDs for each group the user belongs to)
  • ticket creation time
  • ticket expiration time (by default, 14 days)
  • renewal expiration time (by default, 30 days from date of ticket creation)

A MapR ticket determines the user's identity and the system uses the ticket as the basis for authorization decisions. A MapR cluster with security features enabled does not rely on the client-side operating system identity.

The Security Architecture section discusses the implementation details of these authentication methods.