Configuring Impersonation
Lists the process to permit the mapr
user to impersonate other
users.
Impersonation, also known as identity assertion, is one user (the mapr
super
user) accessing data and submitting jobs on behalf of another user.
mapr
user can impersonate other users.For secure clusters, to have a request processed as an impersonated user:
- The user submitting the request must be the
mapr
user and the request should have the HTTP header X-MAPR-IMPERSONATED-USER, passed in the request.The value of the header is the username of the impersonated user.
- The header must also include
"Authorization: Basic <base64_encoding_of_userID:pwd>"
for the apiserver to authorize the request.Here userID is
mapr
and the password is the PAM Linux password formapr
user on the node on which the apiserver is running.
For example:
curl -XPOST -H "Accept: application/json" -H "X-MAPR-IMPERSONATED-USER: m7user1" -H "Authorization: Basic bWFwcjptYXBy" -k https://10.20.30.40:8443/rest/table/create?path=%2Ftmp%2FsrcC -v
For a non-secure cluster, data-fabric requires a file for the user to impersonate in the
/opt/mapr/conf/proxy
directory. The logged-in user is allowed to
impersonate only if the /opt/mapr/conf/proxy/<user_to_impersonate>
file is
present. By default, this file is created during installation for the mapr
user and the root
user. If the file is not present, HTTP 403 is returned to
the client if the client attempts to impersonate a user who does not have the file.