Authentication in MapR

Describes types of authentication available with the MapR Data Platform and how to manage user authentication with the maprlogin utility.

Authentication ensures who you are and who you claim you are in identifying the end user to the system. MapR authentication supports standard Basic Authentication and SPNEGO authentication for web-based interfaces and supports MapR tickets for many of the core system component non-web-based interfaces. A ticket is an object that contains specific information about a user, an expiration time, and a key. Tickets uniquely identify a user and are encrypted to protect their contents. You can use tickets to establish sessions between a user and the cluster.

Types of Authentication in MapR

MapR supports two methods of authenticating a user and generating a ticket: a username-password pair and Kerberos. Both of these methods are mediated by the maprlogin utility. When you authenticate with a username-password pair, the system verifies your credentials using Pluggable Authentication Modules (PAM). You can configure the cluster to use any registry that has a PAM module.

MapR tickets contain the following information:

  • UID (generated from the UNIX user ID)
  • GIDs (group IDs for each group the user belongs to)
  • ticket creation time
  • ticket expiration time (by default, 14 days)
  • renewal expiration time (by default, 30 days from the date of ticket creation)

A MapR ticket determines the user's identity and the system uses the ticket as the basis for authorization. A MapR cluster with security features enabled does not rely on the client-side operating system identity.

The maprlogin Utility for Generating Tickets

The maprlogin utility supports user authentication with either username and password or Kerberos to generate a unique session token called a ticket. The following diagram outlines the process flow:



MapR tickets are either implicitly or explicitly generated. On clusters that use Kerberos for authentication, a user that runs a MapR command without first using the maprlogin utility implicitly obtains a MapR ticket. During usage, the client runtime process first checks for a valid user ticket, and uses that ticket if it exists. If a ticket does not exist, the runtime process checks if Kerberos is enabled for the cluster and then checks for an existing valid Kerberos identity. When a valid Kerberos identity is found, the client implicitly generates a ticket for that Kerberos identity.

When you explicitly generate a ticket, you can authenticate either with your username and password or with Kerberos:

  1. The user on the client machine invokes the maprlogin utility, which connects to a CLDB node in the cluster using HTTPS. The host name for the CLDB node is specified in the mapr-clusters.conf file.
    • For username-password authentication, the node authenticates using PAM modules with the Java Authentication and Authorization Service (JAAS).

      The JAAS configuration is specified in the mapr.login.conf file. The system can use any registry that has a PAM module available.

    • For Kerberos authentication, the CLDB node verifies the Kerberos principal with the keytab file.
  2. After authenticating, the CLDB node uses the standard UNIX APIs getpwnam_r and getgrouplist, which are controlled by the /etc/nsswitch.conf file, to determine the user's user IDs and group IDs.
  3. The CLDB node generates a ticket and returns it to the client machine, completing the login communication between the client and the CLDB.
  4. After login, the MapR server validates that the ticket is properly encrypted, to verify that the ticket was issued by the cluster's CLDB.
  5. The server also verifies that the ticket has not expired or been blacklisted.
  6. The server checks the ticket for a privileged identity such as the mapr user.

    Privileged identities have impersonation functionality enabled.

  7. The ticket's user and group information are used for authorization to the cluster, unless impersonation is in effect.