Managing Tickets

Introduces authenticate using tickets for users and MapR servers.

MapR implements authentication with tickets. Tickets contain keys, and are used to authenticate users and MapR servers. In addition, certificates are used to implement server authentication. Every user who wants to access a cluster must have a MapR user ticket (maprticket_<uid>) and every node in the cluster must have a MapR server ticket (maprserverticket).

A ticket is an object that contains specific information about a user and a key. A ticket authenticates a user to the cluster. Tickets are encrypted to protect their contents. The following table describes the tickets used by MapR for internal cluster operations, the user who can generate the ticket, and the command used to generate the ticket. This type of ticket should only be placed on cluster nodes.

Ticket Type Description Permissions/Command to Generate Ticket
maprserver For (internal) cluster operations. This type of ticket can be long lasting. user root using the configure.sh utility
crosscluster For (internal) cross-cluster operations such as mirroring and replication. This type of ticket can be long lasting. user mapr using the maprlogin utility. The UID of the ticket (mapr) is always used as the identity of the entity using this ticket.

The following table describes the type of tickets supported by MapR for users and services and whether the ticket can be used to impersonate another user. All these tickets, except the user ticket, can only be generated by the cluster administrator using the maprlogin utility; the user ticket can be generated by any valid using using the maprlogin utility. These type of tickets can be placed on both cluster and client nodes and support (FUSE-based and loopbacknfs) POSIX clients and HDFS APIs.

Ticket Type Description Impersonation support Notes
user For granting access to individual users. This type of ticket has a short duration. N/A* The UID of the ticket (implicit or explicit value of the -user parameter to maprlogin command) is used as the identity of the entity using this ticket, except for the exceptions noted here for user root and user mapr.
service For accessing services running on client nodes. This type of ticket can have long duration. N/A* The UID of the ticket (explicit value of the -user parameter to maprlogin command) is used as the identity of the entity using this ticket, except for the exceptions noted here for user root and user mapr.
servicewithimpersonation (not scoped) For accessing services running on client nodes to run jobs on behalf of any user (except user mapr). This type of ticket can have long duration. Yes The ticket cannot be used to impersonate user root or user mapr.
servicewithimpersonation (scoped) For accessing services running on client nodes to run jobs on behalf of the users (except user root and user mapr) specified in the ticket. This type of ticket can have long duration. Yes At ticket generation time, cannot specify UID/GID of user root or user mapr to impersonate user root or user mapr respectively.
tenant For tenant user(s) to access tenant volume(s) in a multi-tenant environment. This type of ticket can have long duration. Yes The ticket can be used to impersonate user root but cannot be used to impersonate user mapr.
* Exceptions:
  • User mapr can impersonate other users (including user root)
  • User root can impersonate other users (excluding user mapr)
Important: The identity of the user that authenticates with the maprlogin utility is independent from the identity of the user of the client OS.

MapR tickets contain the following information:

  • UID (generated from the UNIX user ID)
  • GIDs (group IDs for each group the user belongs to)
  • ticket creation time
  • ticket expiration time (initial duration of the ticket)
  • renewal expiration time (maximum lifetime of the ticket)
  • Whether user can (true) or cannot (false) impersonate another user

Note that, because a ticket contains the GIDs for a user at the time the ticket is generated, a user must re-generate their ticket after changing group memberships.

For complete syntax, see The maprlogin Utility.