Generating an Impersonation Ticket with Ticket Generation Privileges
Describes a ticket option that allows some ticket holders to generate tickets subject to their impersonation authority.
Cases exist where an arbitrary process started by another process needs a ticket for a
particular user. Before release 7.0.0, such tickets could be created by users with
cluster-level “Full Control” capability. For example, in release 6.2.0, we can give the
fc
privilege to user
m7server1
:# maprcli acl set -type cluster -user root:login,ss,cv,a,fc,cp \
mapr:login,ss,cv,a,fc,cp m7server1:login,fc
# maprcli acl show -type cluster
Allowed actions Principal
[login, ss, cv, a, fc, cp] User root
[login, ss, cv, a, fc, cp] User mapr
[login, ss, cv, fc] User m7server1
With the fc
privilege,
the m7server1
user can create tickets for any
user:[m7server1@m2-mapreng-vm166251 ~]$ maprlogin generateticket -user m7user1 -type service -out m7user1ticket.out
MapR credentials of user 'm7user1' for cluster 'fips1.cluster.com' are written to 'm7user1ticket.out'
Although
this meets the literal requirement, the “Full Control” capability is far too powerful, since
the ability to create tickets is unrelated to cluster-level “Full Control” capability. Release 7.0.0 enhanced the
maprlogin generateticket
command to allow the
generation of a new type of ticket called
servicewithimpersonationandticket
:# maprlogin generateticket
The -user parameter is required. Specify the user name of the service identity.
generateticket
-type service|crosscluster|servicewithimpersonation|servicewithimpersonationandticket|tenant
-user UNIX user name of service identity.
[ -clusters comma seperated list of clusters OR 'all' for all clusters present in mapr-clusters.conf]
[ -cluster mapr cluster name ]
-out ticket location
[ -duration [Days:]Hours:Minutes OR -duration Seconds.default: cluster's ticket duration setting ]
[ -renewal [Days:]Hours:Minutes OR -duration Seconds.default: cluster's ticket duration setting ]
[-ips comma separated list of ips on which ticket should be valid]
[-impersonateduids comma separated list of uids for impersonation]
[-impersonatedgids comma separated list of gids for impersonation]
In addition to users with cluster-level “Full Control” capability being able to generate
tickets, holders of tickets of the type
servicewithimpersonationandticket
can also generate tickets subject to their impersonation authority. Therefore, for users
without cluster-level “Full Control” capability, ticket generation is allowed if the caller
holds a ticket with CanImpersonate = true
and CanGenerateTicket =
true
, and either of the following conditions is true:- The ticket is not a scoped impersonation ticket. No
impersonatedUids
orimpersonatedGids
ID references are in the ticket. Below is an example of how to generate an unscoped impersonation ticket with ticket-generation permission for userm7server2
:# maprlogin generateticket -type servicewithimpersonationandticket \ -user m7server2 -out m7server2ticket.out MapR credentials of user 'm7server2' for cluster 'fips1.cluster.com' are written to 'm7server2ticket.out' # maprlogin print -ticketfile m7server2ticket.out Opening keyfile m7server2ticket.out fips1.cluster.com: user = m7server2, created = 'Tue Jan 04 18:00:38 PST 2022', expires = 'Tue Jan 04 18:00:38 PST 12022', RenewalTill = 'Tue Jan 04 18:00:38 PST 12 022', uid = 5004, gids = 5005, CanImpersonate = true, CanGenerateTicket = true, isExternal = true
- If the ticket is a scoped impersonation ticket, the caller is allowed to generate a
ticket for the target user if either of the following is true:
- The target user UID is in the list of impersonated UIDs.
- At least one group that the target user belongs to is in the list of impersonated GIDs.
Below is an example of how to generate a scoped impersonation ticket with ticket-generation
permission for user
m7user2
:# maprlogin generateticket -type servicewithimpersonationandticket -user m7server2 -out m7server2ticket-imp.out -impersonateduids 5001 -impersonatedgids 5003
[root@m2-mapreng-vm166251 ~]# maprlogin print -ticketfile m7server2ticket-imp.out
Opening keyfile m7server2ticket-imp.out
fips1.cluster.com: user = m7server2, created = 'Thu Jan 06 00:15:47 PST 2022', expires = 'Thu Jan 06 00:15:47 PST 12022', RenewalTill = 'Thu Jan 06 00:15:47 PST 12022', uid = 5004, gids = 5005, CanImpersonate = true, CanGenerateTicket = true, isExternal = true, impersonatedUids = 5001,, impersonatedGids = 5003,
User
m7server2
is allowed to generate tickets for user
m7user1
(UID 5001, GID 5002) because its UID is within the list of
impersonatedUids
for this ticket:
[m7server2@m2-mapreng-vm166251 ~]$ export MAPR_TICKETFILE_LOCATION=/home/m7server2/m7server2ticket.out
[m7server2@m2-mapreng-vm166251 ~]$ maprlogin generateticket -user m7user1 -type service -out m7user1ticket.out
MapR credentials of user 'm7user1' for cluster 'fips1.cluster.com' are written to 'm7user1ticket.out'
The user
m7server2
also is allowed to generate tickets for user
m7user2
(UID 5002, GID 5003) because the GID for m7user2
is within the list of impersonatedGid
for this
ticket:[m7server2@m2-mapreng-vm166251 ~]$ export MAPR_TICKETFILE_LOCATION=/home/m7server2/m7server2ticket.out
[m7server2@m2-mapreng-vm166251 ~]$ maprlogin generateticket -user m7user2 -type service -out m7user2ticket.out
MapR credentials of user 'm7user2' for cluster 'fips1.cluster.com' are written to 'm7user2ticket.out'
User
m7server2
is not allowed to generate tickets for user
m7user3
(UID 5005, GID 5006) since m7user3
UID (5005) is
not in the list of impersonatedUids
for this ticket. Neither is its GID
(5006) in the list of impersonatedGids
:
[m7server2@m2-mapreng-vm166251 ~]$ maprlogin generateticket \
-user m7user3 -type service -out m7user3ticket.out
User m7server2 does not have permission to impersonate user m7user3(UID: 5005), and cannot generate ticket