Managing Mirror Volumes in Secure Clusters

Describes how to secure the cluster mirror user and blacklist mirror users.

Verifying Security Between Clusters

For background on what a mirror volume is and how to use mirror volumes in general, see Working with Mirror Volumes.

The clusters that will serve as source and destination for the secured mirror need to establish a trust relationship. To begin, the source cluster's administrative user defines a user known as the cluster mirror user. The cluster mirror user needs a ticket in order to permit the mirror to pull data from the source volume.

To establish security for the cluster mirror user between the source and destination clusters:

  1. On any node in the source cluster, as the source cluster’s administrative user, generate a ticket for the cluster mirror user:
    maprlogin generateticket -type crosscluster -user mapr -out <path_to_ticket>
    See maprlogin Command Syntax for more information.
  2. Perform the following steps on all the CLDB nodes on the destination cluster.
    1. As the administrative user on the destination cluster, append the cross-cluster ticket file contents created in step 1 above to the destination cluster’s CLDB key store file at /opt/mapr/conf/maprserverticket, using the source cluster’s name as the key.
      Refer to Adding Cross-Cluster Tickets to Secure Clusters for more detailed steps.
    2. On every node with the CLDB or webserver roles on the destination cluster, add an entry for the source cluster and the source cluster’s CLDB nodes to the mapr-clusters.conf file.
      Warning: If you add entries for a webserver or CLDB in the mapr-cluster.conf file at a later date, the maprserverticket file may not be up to date.
    Note: Local mirror volumes do not require any additional configuration if the cluster already has wire-level security enabled.

Secure Mirror Volumes and Blacklisted Users

  1. To blacklist a mirror user on a secure cluster with mirror volumes, stop any existing mirroring operations.
    Blacklisting a user on the source cluster for the mirror volume fails when the mirroring is active.
  2. After blacklisting the user, remove the existing ticket for the blacklisted mirror user on both clusters, then reestablish the trust relationship between the two clusters as described in the previous section, Verifying Security Between Clusters.