Generating a Service with Impersonation Ticket
Impersonation allows a user to access data and submit jobs on behalf of another user.
Consider allowing users, other than the mapr user, to impersonate other users. Use the
maprlogin
utility to generate a "servicewithimpersonation ticket" that is
optionally used to access a secure cluster impersonating another user. The
servicewithimpersonation ticket provides the user the ability to impersonate other users
(except the mapr user) in addition to the ability to access a secure cluster. This type of
ticket can only be generated by a user with full control on a cluster's ACL.
If this type of ticket is generated and saved in the location specified with the
-out
option, after generating the ticket, do the following:
- Reset the permissions on the ticket to grant the user for whom the ticket was generated read permissions on the ticket.
- Set the
MAPR_TICKETFILE_LOCATION
environmental variable to point to the ticket file location if the path specified for the-out
option was not/tmp/maprticket_<uid>
.
This type of ticket, similar to a service ticket, has a specified duration (expiration), a renewal period (maximum lifetime), and a location where the ticket is safely stored. It grants the specified user the ability to impersonate other users, except the mapr user.
The default duration for this type of ticket is LIFETIME and the duration is not bounded by the CLDB duration properties. Short duration and renewal values may be used for security reasons, but much longer lifetimes are supported for ease of administration.
For example:
# maprlogin generateticket -type servicewithimpersonation -user mapruser1 -out /var/tmp/impersonation_ticket -duration 30:0:0 -renewal 90:0:0
The above command generates a service with impersonation ticket that expires after 30 days
and is stored in /var/tmp/impersonation_ticket
. The ticket may be renewed at
any time before the 30 days and can be extended up to a maximum of 90 days. The ticket must be
renewed explicitly before its expiration date; it does not renew automatically when it
expires. The ticket allows the user to impersonate all users on the cluster.
To allow a user to impersonate only specific users and/or groups, use the
impersonateduids
and/or impersonatedgids
options with the
maprlogin
command. For example:
# maprlogin generateticket -type servicewithimpersonation -user mapruser1 -out /var/tmp/impersonation_ticket -duration 30:0:0 -impersonateduids 1002,1003 -impersonatedgids 1005,1006 -renewal 90:0:0
The above command generates a service with impersonation ticket. The ticket holder can
impersonate users whose UIDs are 1002 and 1003 and users in the groups with GIDs 1005 and
1006. The ticket expires after 30 days and is stored in
/var/tmp/impersonation_ticket
. The ticket may be renewed at any time before
the 30 days and can be extended up to a maximum of 90 days. The ticket must be renewed
explicitly before its expiration date; it does not renew automatically when it expires.