maprlogin Command Syntax

Describes the different arguements and options for the maprlogin command line tool.

The /opt/mapr/bin/maprlogin command line tool enables users to log into secure MapR clusters. Users authenticate themselves to the cluster with a maprticket that can be generated in the following ways:

  • Run maprlogin password to authenticate with username and password.
  • Run maprlogin generateticket to request a service or cross-cluster ticket for use by an external application or user account (based on the current user's ticket).
  • Run maprlogin kerberos after generating a Kerberos ticket with the kinit command.

For more details about different ways to generate tickets, see Tickets.

Argument or Option

Description

Default

authtest

Simulates runtime behavior during authentication.

N/A

-cluster

Name of the cluster to log into.

First cluster name in the /opt/mapr/conf/mapr-clusters.conf file.

-duration

Length of time before the ticket expires, specified in one of the following formats:

-duration [Days:]Hours:Minutes

- duration Seconds

Password-generated tickets are bounded by the CLDB duration and renewal properties that are set for the cluster:

  • cldb.security.user.ticket.duration.seconds (default=1209600) is used if duration is not specified while generating the ticket.
  • cldb.security.user.ticket.max.duration.seconds (default=2592000) is the maximum duration allowed for a ticket.

For password-generated tickets, if -duration is not set with the maprlogin command, the CLDB duration property is used by default.

See config.

Note: The service, servicewithimpersonation, and crosscluster tickets may have a very long lifetime; their duration is not bounded by these properties. For service and crosscluster tickets, the default value is LIFETIME.
  • 1209600 seconds (14 days) for user tickets
  • LIFETIME for service and cross-cluster tickets
generateticket Generates a service ticket for another user or application. The user who runs the maprlogin command with this option must already have a user ticket and must have fc (full control) ACL authorization on the cluster. See acl set. N/A

kerberos

Indicates the presence of a Kerberos ticket.

N/A

-out

A safe directory location where the ticket will be stored. Can be used with generateticket, password, and renew commands.

You must specify a location when generating service tickets. (This requirement ensures that other tickets are not overwritten.)

/tmp/maprticket_<uid>

(default applies to non-service tickets only)

password

The user's UNIX password.

N/A

print

Prints ticket of any type and contains information including the cluster name, the user ID, the date when the ticket was created, the ticket expiration date, and whether user can impersonate other users. In the service tickets, the value for CanImpersonate is true if impersonation is enabled for user and false if impersonation is disabled for the user. In the regular cluster ticket for the user, the value of CanImpersonate is always false.

N/A

renew

Renews the ticket, given a duration that does not cause the ticket to exceed its maximum lifetime. The original -renewal value for the ticket determines its maximum lifetime.

N/A
-renewal

Total lifetime of the ticket, specified in one of the following formats:

-renewal [Days:]Hours:Minutes

-renewal Seconds

If -renewal is not set with the maprlogin command, the CLDB renewal property is set by default (cldb.security.user.ticket.renew.duration.seconds). You can also set the cldb.security.user.ticket.renew.max.duration.seconds property, which is the maximum duration (7776000, by default) allowed for a ticket renewal.

Note: Service and crosscluster tickets are not bounded by these properties.

For example, assume that the maprlogin command passes the following options for a service ticket:

-duration 30:0:0 -renewal 90:0:0

The ticket will expire after 30 days unless it is renewed. If a maprlogin renew command is submitted for the ticket before the initial 30 days pass, the ticket's lifetime may be extended up to a total maximum lifetime of 90 days. Tickets do not renew automatically; administrators must renew them with the maprlogin renew command, specifying a valid renewal period, and they must do this before the duration period ends. The renewal period must be less than or equal to the remaining amount of time allowed on the ticket.

Using the same example, if you renew a ticket on the 29th day of its life, you can renew it for up to 61 days. You can renew a ticket incrementally, for some number of days at a time, as long as you do not exceed the original renewal value.

2592000 seconds (30 days)

-ticketfile Optional with print and renew commands. Specifies the path to ticket file, if different from default. If this is not specified, the command looks for the ticketfile (maprticket_<uid>) in the default location, which is /tmp on Linux and %TEMP% on Windows systems or in the location specified by the environment variable, $MAPR_TICKETFILE_LOCATION.
  • Linux: /tmp
  • Windows: %TEMP%
-type

Required ticket type for the generateticket command; value must be service, servicewithimpersonation, or crosscluster:

  • service is used to generate service tickets for regular cluster operations.
  • servicewithimpersonation is used to generate tickets for regular cluster operations, including allowing user to impersonate other users (except the mapr user).
  • crosscluster is used to generate tickets for inter-cluster operations, such as remote mirroring. The crosscluster option only works with the mapr user.
No default; -type must be set in the maprlogin generateticket command.

-user

UNIX user name on the MapR cluster.

For crosscluster tickets, the user must be mapr.

root