maprlogin Command Examples

Describes common scenarios associated with maprlogin usage.

Generating and Displaying User Ticket

Generate a user ticket:

$ maprlogin password
[Password for user 'juser' at cluster 'my.cluster.com': ] 
MapR credentials of user 'juser' for cluster 'my.cluster.com' 
are written to '/tmp/maprticket_1000'
Display the ticket for the current user. Sample output is shown below.
$ maprlogin print
Opening keyfile /tmp/maprticket_1000
my.cluster.com: user = juser, 
created = 'Mon Sep 17 08:30:26 PDT 2018', expires = 'Mon Oct 01 08:30:26 PDT 2018', 
RenewalTill = 'Wed Oct 17 08:30:26 PDT 2018', uid = 20001, gids = 54261, 
CanImpersonate = false 

Generating and Displaying mapr User Ticket

Generate a ticket for the mapr user:

# su mapr
$ maprlogin password
[Password for user 'mapr' at cluster 'test.cluster.com': ] 
MapR credentials of user 'mapr' for cluster 'test.cluster.com' 
are written to '/tmp/maprticket_5000'
Display the ticket for the current user. Sample output is as follows.
$ maprlogin print
Opening keyfile /tmp/maprticket_5000
test.cluster.com: user = mapr, created = 'Mon Sep 17 09:18:19 PDT 2018', 
expires = 'Mon Oct 01 09:18:19 PDT 2018', RenewalTill = 'Wed Oct 17 09:18:19 PDT 2018', 
uid = 5000, gids = 5000, 0, 5001, CanImpersonate = true

Generating and Displaying Service Ticket

Generate a service ticket, longlived_ticket, in /tmp for maprUser1:

$ maprlogin generateticket -type service -out /tmp/longlived_ticket 
-duration 30:0:0 -renewal 90:0:0 -user maprUser1
MapR credentials of user 'maprUser1' for cluster 'JSKCluster129_secure' 
are written to '/tmp/longlived_ticket'

Display the service ticket in a specified location:

$ maprlogin print -ticketfile /tmp/ticketwithduration
Opening keyfile /tmp/ticketwithduration
JSKCluster129_secure: user = maprUser1, 
created = 'Tue Jun 14 11:12:01 PDT 2017', expires = 'Thu Jul 14 11:12:01 PDT 2017', 
RenewalTill = 'Mon Sep 12 11:12:01 PDT 2017', 
uid = 0, gids = 0, CanImpersonate = false

Generating and Printing Service with Impersonation Ticket

Generate a service with impersonation ticket (in /var/tmp) for maprUser1:

$ maprlogin generateticket -type servicewithimpersonation -user maprUser1 
-out /var/tmp/impersonationTicketMapRuser1

After generating the ticket, ensure that maprUser1 has read permissions on the ticket. If you move the ticketfile to a different location, set the $MAPR_TICKETFILE_LOCATION environment variable.

Display the service with impersonation ticket in the specified location:

$ maprlogin print -ticketfile /var/tmp/impersonationTicketMaprUser1
Opening keyfile /var/tmp/impersonationTicketMaprUser1
JSKCluster129_secure: user = maprUser1, 
created = 'Mon Apr 18 13:46:38 PDT 2017', expires = 'Mon May 02 13:46:38 PDT 2017', 
RenewalTill = 'Wed May 18 13:46:38 PDT 2017', 
uid = 501, gids = 502, CanImpersonate = true
To allow a user to impersonate only specific users and/or groups, use the impersonateduids and/or impersonatedgids options with the maprlogin command. For example:
$ maprlogin generateticket -type servicewithimpersonation -user mapruser1 -out /var/tmp/impersonation_ticket -duration 30:0:0 -impersonateduids 1002,1003 -impersonatedgids 1005,1006 -renewal 90:0:0
The command generates a service with impersonation ticket. The ticket holder can impersonate users whose UIDs are 1002 and 1003, and users in the groups with GIDs 1005 and 1006. The ticket expires after 30 days and is stored in /var/tmp/impersonation_ticket. The ticket may be renewed at any time within 30 days and can be extended up to a maximum of 90 days. The ticket must be renewed explicitly before its expiration date; it does not renew automatically when it expires.

Generating a Tenant Ticket that is Valid for Specific IPs

Generate a tenant ticket (in /tmp) for user test that is valid for specific IPs:

$ maprlogin generateticket -type tenant -out /tmp/ticketip -ips 10.9.0.1,10.9.0.2 -user test
MapR credentials of user 'test' for cluster 'my.cluster.com' are written to '/tmp/ticketip'  
NOTE
The -ips argument is only valid for the tenant ticket type.

Display the generated tenant ticket:

$ maprlogin print -ticketfile /tmp/ticketip
Opening keyfile /tmp/ticketip
my.cluster.com: user = test, created = 'Tue Aug 25 00:34:14 PDT 2020', expires = 'Tue Aug 25 00:34:14 
PDT 12020', RenewalTill = 'Tue Aug 25 00:34:14 PDT 12020', uid = 5001, gids = 7001, 
CanImpersonate = true, isExternal = true, ips = 10.9.0.1,10.9.0.2,, IsTenant = true

Generating and Displaying Cross-Cluster Ticket

Generate a cross-cluster ticket (in /tmp) for maprUser1:

$ maprlogin generateticket -type crosscluster -out /tmp/crossclusterTicket -user maprUser1
MapR credentials of user 'maprUser1' for cluster 'JSKCluster128_secure' 
are written to '/tmp/crossclusterTicket'

Display the contents of a cross-cluster ticket in the specified location:

$ maprlogin print -ticketfile /tmp/crossclusterTicket
Opening keyfile /tmp/crossclusterTicket
ClusterSecure: user = root, 
created = 'Fri May 27 14:29:40 PDT 2017', expires = 'Fri May 27 14:29:40 PDT 12017', 
RenewalTill = 'Fri May 27 14:29:40 PDT 12017', 
uid = 0, gids = 0, CanImpersonate = false

Running an Authentication Test

authtest: This troubleshooting option simulates the behavior of the runtime during authentication, going through the authentication flow.

Options: [ -cluster ] Specifies the name of the cluster.

Ending a Session Before the Ticket Expires

end or logout: Destroys tickets and logs out.

Options: [ -cluster ] Specifies the name of the cluster. By default, deletes all tickets for all clusters.

Renewing a Ticket Before It Expires

renew: Renews an existing ticket for a specified time period.

Options:
  • [ -cluster ] - Specifies the name of the cluster.
  • [ -duration ] - Specifies the ticket duration.

The duration you specify must be valid for the ticket in question, given the original -renewal value for the ticket and the life of the ticket when the renew command is run:

  • You cannot renew a ticket that has already expired.
  • You can renew the same ticket multiple times.
  • The renewal period (or periods) cannot exceed the available time left for the ticket.

For example, assume that a ticket is created with a duration of 10 days and a renewal of 30 days:

maprlogin password -duration 10:0:0 -renewal 30:0:0
  • On the 11th day, the ticket expires and cannot be renewed at all.
  • On the 9th day, you can renew the ticket for any number of days up to a maximum of 21.
  • On the 23rd day, you can renew the ticket for any number of days up to a maximum of 7.

Example: Renew a ticket and display the renewed ticket in the specified location:

$ maprlogin renew -out /tmp/RenewedsecureClusterTicket 
-ticketfile /tmp/secureClusterTicket -duration 1:0:0

$ maprlogin print -ticketfile /tmp/RenewedsecureClusterTicket
Opening keyfile /tmp/RenewedsecureClusterTicket
JSKCluster129_secure: user = root, 
created = 'Tue Jun 07 11:53:29 PDT 2017', 
expires = 'Wed Jun 08 11:56:56 PDT 2017', 
RenewalTill = 'Thu Jul 07 11:53:29 PDT 2017', 
uid = 0, gids = 0, CanImpersonate = false