Using the Ticketcreator Utility to Generate Secrets

To connect to a secure MapR storage cluster from a Spark CSpace pod, you must first generate and deploy a MapR ticket. To create the ticket:
  1. Run the following command to determine the name of the CSpace Terminal pod:
    kubectl get pods -n <cspace>
  2. Before users can log into the CSpace Terminal, the users must be created in the terminal pod. There are two options for creating these users. You can implement SSSD users or create users manually:
    • If your CSpace was configured to use SSSD and you have configured SSSD to point to your corporate directory, you do not need to create users in the CSpace Terminal manually. SSSD will create your user when the user logs in using ssh.
    • If you chose to use Raw Linux users, a CSpace Administrator must exec into the CSpace Terminal and create users. The administrator should first:
      kubectl exec -it pod cspaceterminal-<xxx>-<xxx> /bin/bash -n <cspace>
      In this example, cspace-terminal-<xxx>-<xxx> is the name of the CSpace Terminal pod. The CSpace admin will be the root user upon exec'ing into the pod.
  3. Next, the administrator should run the following commands for each CSpace user:
    useradd <user> -u <users id>
    echo "<default password>" | passwd -u <users id> <user>
    Important: The user's id must match the id used on the external MapR storage cluster. The CSpace admin should encourage users to change their passwords after ssh login.
  4. Run the following command to get the log from the cspaceterminal pod:
    kubectl logs -n <cspace> cspaceterminal-<xxx>-<xxx>
  5. Look at the end of the log. You should see instructions for creating an ssh session. There will be two options:
    • Option 1: If you can directly connect to the Kubernetes host running the CSpace Terminal pod, you may ssh directly to the pod's host machine:
      ssh <user>@<host machine> -p <sshPort specified in CSpace CR for CSpace Terminal>
    • Option 2: If you cannot directly connect to the host machine, you may use kubectl to proxy an ssh connection to the pod:
      kubectl port-forward -n <cspace> cspaceterminal-<xxx>-<xxx> <port on localhost>:<sshPort specified in CSpace CR for CSpace Terminal>
      ssh <user>@<host machine> -p <sshPort specified in CSpace CR for CSpace Terminal>
      Note: The port you specify for the local host must be greater than 1000.
  6. As a user other than root, run the ticketcreator utility. The utility is included in the CSpace Terminal pod of each compute space. For example:
    ticketcreator.sh
  7. When prompted, enter the following information:
    • The username and password of the user for whom to create the secret.
    • The name of the user secret.

      The default name is randomized for security. Kubernetes requires secrets to be in the same namespace as the applications that require their use. This means that secrets for multiple users will exist in the same CSpace if you create the CSpace with multiple users. As a security measure, MapR has disabled the ability for CSpace users to see secrets in the CSpace. Randomizing of the secret names makes it difficult for one user to guess another's secret name and use that secret for their Spark job. Copy the name of this secret to a secure location so that it can be used in future Spark jobs.

    • y (yes) or n (no) to specify whether to create a CSI PersistentVolumeClaim (PVC) and PersistentVolume (PV) for Spark secondary MapR Filesystem dependencies. If you enter y, enter a name for the PVC and PV. The names for the PVC and the PV are randomized.