Generating a Ticket for a Tenant

Explains what tenant tickets are and how to generate one.

About this task

Tenant tickets allow tenant users to access the tenant volume on the cluster if you have a multi-tenant environment on file system. Generate the tenant ticket on the cluster and copy it to tenant hosts to grant tenant users access to provisioned storage.

Procedure

To generate a tenant ticket, run one of the following commands on the cluster:
maprlogin generateticket -type tenant -cluster <cluster_name> -user <tenant_admin_user> \
-duration <seconds> -out <ticket_file_path>.txt
NOTE
For more information, see the maprlogin command.
By default, the tenant ticket:
  • Is stored in /tmp and can only be read by that user. To change the default location, specify the path to the desired location with the out parameter.
  • Has no expiration. To change the expiration time, specify duration for the ticket with the command.
With tenant tickets, the value for CanImpersonate and tenant is always true. For example, if you run the maprlogin print command, the output should look similar to the following example.
Opening keyfile /user/clstrAdmin/tenant_user_ticket.txt
tenantHost: user = tenant_user, created = 'Mon Jul 11 07:14:53 UTC 2016', 
expires = 'Mon Jul 11 07:14:53 UTC 12016', RenewalTill = 'Mon Jul 11 07:14:53 UTC 12016', 
uid = 500, gids = 500, 42, CanImpersonate = true, tenant = true
To grant access to tenant users, the tenant ticket must be copied over to the tenant hosts.

What to do next

After generating the ticket:
  1. Reset the permissions on the ticket to grant the tenant admin read permissions on the ticket.
  2. Move the ticket out of the default /tmp directory to a secure location on one or more tenant hosts.