Generating a Service Ticket
Applications may have service processes that run outside the Data Fabric cluster but need to access the cluster to
run Data Fabric commands. For security reasons,
you decide not to run these services as a mapr
user. Instead, you
can use the maprlogin
utility to generate a "service ticket" that
can be used to access the cluster for the user account that runs the service. The
maprlogin
utility uses the current user's ticket (the user
running the maprlogin
command) to send an authenticated request
for a newly generated service ticket.
This type of ticket has a specified duration (expiration), a renewal period (maximum
lifetime), and a designated location where the ticket is safely stored. The
service process that uses the ticket can access it based on the definition of the
MAPR_TICKETFILE_LOCATION
environment variable. This
variable points to the location of the ticket and should be set for the service
process after it starts. Short duration and renewal values may be used for
security reasons, but much longer lifetimes are supported for ease of
administration.
For example:
# maprlogin generateticket -type service -out /tmp/longlived_ticket -duration 30:0:0 -renewal 90:0:0 -user mapr
MapR credentials of user 'mapr' for cluster 'xxxx' are written to '/tmp/longlived_ticket'
/tmp/longlived_ticket
. The ticket may be renewed at any
time before the 30 days pass, extending its lifetime to a maximum of 90 days. The
ticket must be renewed explicitly before its expiration date; it does not renew
automatically after it expires.