maprlogin Command Examples
Describes common scenarios associated with maprlogin
usage.
Generating and Displaying User Ticket
Generate a user ticket:
$ maprlogin password
[Password for user 'juser' at cluster 'my.cluster.com': ]
MapR credentials of user 'juser' for cluster 'my.cluster.com'
are written to '/tmp/maprticket_1000'
$ maprlogin print
Opening keyfile /tmp/maprticket_1000
my.cluster.com: user = juser,
created = 'Mon Sep 17 08:30:26 PDT 2018', expires = 'Mon Oct 01 08:30:26 PDT 2018',
RenewalTill = 'Wed Oct 17 08:30:26 PDT 2018', uid = 20001, gids = 54261,
CanImpersonate = false
Generating and Displaying mapr User Ticket
Generate a ticket for the mapr
user:
# su mapr
$ maprlogin password
[Password for user 'mapr' at cluster 'test.cluster.com': ]
MapR credentials of user 'mapr' for cluster 'test.cluster.com'
are written to '/tmp/maprticket_5000'
$ maprlogin print
Opening keyfile /tmp/maprticket_5000
test.cluster.com: user = mapr, created = 'Mon Sep 17 09:18:19 PDT 2018',
expires = 'Mon Oct 01 09:18:19 PDT 2018', RenewalTill = 'Wed Oct 17 09:18:19 PDT 2018',
uid = 5000, gids = 5000, 0, 5001, CanImpersonate = true
Generating and Displaying Service Ticket
Generate a service ticket, longlived_ticket, in /tmp
for
maprUser1:
$ maprlogin generateticket -type service -out /tmp/longlived_ticket
-duration 30:0:0 -renewal 90:0:0 -user maprUser1
MapR credentials of user 'maprUser1' for cluster 'JSKCluster129_secure'
are written to '/tmp/longlived_ticket'
Display the service ticket in a specified location:
$ maprlogin print -ticketfile /tmp/ticketwithduration
Opening keyfile /tmp/ticketwithduration
JSKCluster129_secure: user = maprUser1,
created = 'Tue Jun 14 11:12:01 PDT 2017', expires = 'Thu Jul 14 11:12:01 PDT 2017',
RenewalTill = 'Mon Sep 12 11:12:01 PDT 2017',
uid = 0, gids = 0, CanImpersonate = false
Generating and Printing Service with Impersonation Ticket
Generate a service with impersonation ticket (in /var/tmp
) for
maprUser1:
$ maprlogin generateticket -type servicewithimpersonation -user maprUser1
-out /var/tmp/impersonationTicketMapRuser1
After generating the ticket, ensure that maprUser1
has read permissions on
the ticket. If you move the ticketfile to a different location, set the
$MAPR_TICKETFILE_LOCATION
environment variable.
Display the service with impersonation ticket in the specified location:
$ maprlogin print -ticketfile /var/tmp/impersonationTicketMaprUser1
Opening keyfile /var/tmp/impersonationTicketMaprUser1
JSKCluster129_secure: user = maprUser1,
created = 'Mon Apr 18 13:46:38 PDT 2017', expires = 'Mon May 02 13:46:38 PDT 2017',
RenewalTill = 'Wed May 18 13:46:38 PDT 2017',
uid = 501, gids = 502, CanImpersonate = true
impersonateduids
and/or impersonatedgids
options with
the maprlogin
command. For example:
$ maprlogin generateticket -type servicewithimpersonation -user mapruser1 -out /var/tmp/impersonation_ticket -duration 30:0:0 -impersonateduids 1002,1003 -impersonatedgids 1005,1006 -renewal 90:0:0
The
command generates a service with impersonation ticket. The ticket holder can impersonate
users whose UIDs are 1002 and 1003, and users in the groups with GIDs 1005 and 1006. The
ticket expires after 30 days and is stored in
/var/tmp/impersonation_ticket
. The ticket may be renewed at any time within 30 days
and can be extended up to a maximum of 90 days. The ticket must be renewed explicitly before
its expiration date; it does not renew automatically when it expires.Generating a Tenant Ticket that is Valid for Specific IPs
Generate a tenant ticket (in /tmp
) for user test that is
valid for specific IPs:
$ maprlogin generateticket -type tenant -out /tmp/ticketip -ips 10.9.0.1,10.9.0.2 -user test
MapR credentials of user 'test' for cluster 'my.cluster.com' are written to '/tmp/ticketip'
-ips
argument is only valid for the
tenant
ticket type.Display the generated tenant ticket:
$ maprlogin print -ticketfile /tmp/ticketip
Opening keyfile /tmp/ticketip
my.cluster.com: user = test, created = 'Tue Aug 25 00:34:14 PDT 2020', expires = 'Tue Aug 25 00:34:14
PDT 12020', RenewalTill = 'Tue Aug 25 00:34:14 PDT 12020', uid = 5001, gids = 7001,
CanImpersonate = true, isExternal = true, ips = 10.9.0.1,10.9.0.2,, IsTenant = true
Generating and Displaying Cross-Cluster Ticket
Generate a cross-cluster ticket (in /tmp
) for maprUser1:
$ maprlogin generateticket -type crosscluster -out /tmp/crossclusterTicket -user maprUser1
MapR credentials of user 'maprUser1' for cluster 'JSKCluster128_secure'
are written to '/tmp/crossclusterTicket'
Display the contents of a cross-cluster ticket in the specified location:
$ maprlogin print -ticketfile /tmp/crossclusterTicket
Opening keyfile /tmp/crossclusterTicket
ClusterSecure: user = root,
created = 'Fri May 27 14:29:40 PDT 2017', expires = 'Fri May 27 14:29:40 PDT 12017',
RenewalTill = 'Fri May 27 14:29:40 PDT 12017',
uid = 0, gids = 0, CanImpersonate = false
Running an Authentication Test
authtest
: This troubleshooting option simulates the behavior of the
runtime during authentication, going through the authentication flow.
Options: [ -cluster
] Specifies the name of the cluster.
Ending a Session Before the Ticket Expires
end
or logout
: Destroys tickets and logs out.
Options: [ -cluster
] Specifies the name of the cluster. By default,
deletes all tickets for all clusters.
Renewing a Ticket Before It Expires
renew
: Renews an existing ticket for a specified time period.
[ -cluster ]
- Specifies the name of the cluster.[ -duration ]
- Specifies the ticket duration.
The duration you specify must be valid for the ticket in question, given the original
-renewal
value for the ticket and the life of the ticket when the renew
command is run:
- You cannot renew a ticket that has already expired.
- You can renew the same ticket multiple times.
- The renewal period (or periods) cannot exceed the available time left for the ticket.
For example, assume that a ticket is created with a duration of 10 days and a renewal of 30 days:
maprlogin password -duration 10:0:0 -renewal 30:0:0
- On the 11th day, the ticket expires and cannot be renewed at all.
- On the 9th day, you can renew the ticket for any number of days up to a maximum of 21.
- On the 23rd day, you can renew the ticket for any number of days up to a maximum of 7.
Example: Renew a ticket and display the renewed ticket in the specified location:
$ maprlogin renew -out /tmp/RenewedsecureClusterTicket
-ticketfile /tmp/secureClusterTicket -duration 1:0:0
$ maprlogin print -ticketfile /tmp/RenewedsecureClusterTicket
Opening keyfile /tmp/RenewedsecureClusterTicket
JSKCluster129_secure: user = root,
created = 'Tue Jun 07 11:53:29 PDT 2017',
expires = 'Wed Jun 08 11:56:56 PDT 2017',
RenewalTill = 'Thu Jul 07 11:53:29 PDT 2017',
uid = 0, gids = 0, CanImpersonate = false