Authentication in MapR

Describes robust MapR authentication that prevents third parties from representing themselves as legitimate users.

Authentication ensures that the identity of the end user or system is known reliably in a network safe way. The core component of user authentication in MapR is the ticket. A ticket is an object that contains specific information about a user, an expiration time, and a key. Tickets uniquely identify a user and are encrypted to protect their contents. You can use tickets to establish sessions between a user and the cluster.

Types of Authentication in MapR

MapR supports two methods of authenticating a user and generating a ticket: a username-password pair and Kerberos. Both of these methods are mediated by the maprlogin utility. When you authenticate with a username-password pair, the system verifies your credentials using Pluggable Authentication Modules (PAM). You can configure the cluster to use any registry that has a PAM module.

MapR tickets contain the following information:

  • UID (generated from the UNIX user ID)
  • GIDs (group IDs for each group the user belongs to)
  • ticket creation time
  • ticket expiration time (by default, 14 days)
  • renewal expiration time (by default, 30 days from the date of ticket creation)

A MapR ticket determines the user's identity and the system uses the ticket as the basis for authorization. A MapR cluster with security features enabled does not rely on the client-side operating system identity.

The Security Architecture section discusses the implementation details of these authentication methods.