maprlogin

Authenticates logins to secure HPE Ezmeral Data Fabric clusters.

The /opt/mapr/bin/maprlogin command line tool enables users to log into secure MapR clusters. Users authenticate themselves to the cluster with a maprticket that can be generated in the following ways:

Run maprlogin password to authenticate with username and password.
Run maprlogin generateticket to request a service, tenant, or cross-cluster ticket for use by an external application or user account (based on the current user's ticket).
Run maprlogin kerberos after generating a Kerberos ticket with the kinit command.

NOTE

Tickets contain keys, and are used to authenticate users and MapR servers. Every user who wants to access a cluster must have a MapR user ticket (maprticket_<uid>) and every node in the cluster must have a MapR server ticket (maprserverticket).

For more details about different ways to generate tickets, see Tickets.

Syntax

/opt/mapr/bin/maprlogin <argument> <option>

Arguments

Argument	Description
`authtest`	Simulates runtime behavior during authentication. The following is the syntax for running the `maprlogin` command with this argument: `/opt/mapr/bin/maprlogin authtest [ -cluster mapr cluster name ]` For more information, see Options.
`end\|logout`	Logs out of the cluster. The following is the syntax for running the `maprlogin` command with this argument: `/opt/mapr/bin/maprlogin end\|logout [ -cluster mapr cluster name ]` For more information, see Options.
`generateticket`	Generates a ticket for another user or application. The user who runs the `maprlogin` command with this option must already have a user ticket and must have `fc` (full control) ACL authorization on the cluster. See acl set. The following is the syntax for running the `maprlogin` command with this argument: `/opt/mapr/bin/maprlogin generateticket -type service\|crosscluster\|servicewithimpersonation\|tenant -user <UNIX user name> [ -cluster <cluster name> ] -out <ticket location> [ -duration <[Days:]Hours:Minutes OR -duration Seconds> ] [ -renewal <[Days:]Hours:Minutes OR -duration Seconds> ] [ -impersonateduids <uids to impersonate> ] [ -impersonatedgids <gids to impersonate> ]` For more information, see Options.
`kerberos`	Indicates the presence of a Kerberos ticket. The following is the syntax for running the `maprlogin` command with this argument: `/opt/mapr/bin/maprlogin kerberos [ -cluster <cluster name> ] [ -duration <ticket duration> ]` For more information, see Options.
`password`	The user's UNIX password. The following is the syntax for running the `maprlogin` command with this argument: `/opt/mapr/bin/maprlogin password [ -cluster <cluster name> ] [ -user <user name> ] [ -duration <ticket duration> ] [ -out <ticket location> ]` For more information, see Options.
`print`	Prints ticket of any type and contains information including the cluster name, the user ID, the date when the ticket was created, the ticket expiration date, and whether user can impersonate other users, and whether the ticket is for a tenant. In the service tickets, the value for `CanImpersonate` is `true` if impersonation is enabled for user and `false` if impersonation is disabled for the user. In the regular cluster ticket for the user, the value of `CanImpersonate` is always `false`. In the tenant ticket, the value for `CanImpersonate` is always `true`. The following is the syntax for running the `maprlogin` command with this argument: `/opt/mapr/bin/maprlogin print [ -ticketfile <location of ticket file> ]` For more information, see Options.
`renew`	Renews the ticket, given a duration that does not cause the ticket to exceed its maximum lifetime. The original `-renewal` value for the ticket determines its maximum lifetime. The following is the syntax for running the `maprlogin` command with this argument: `/opt/mapr/bin/maprlogin renew [ -cluster <cluster name> ] [ -duration <ticket renew duration> ] [ -ticketfile <input ticket file> ] [ -out <ticket location> ]` For more information, see Options.

Options

Option	Description	Default
`-cluster`	Name of the cluster to log into.	First cluster name in the `/opt/mapr/conf/mapr-clusters.conf` file.
`-duration`	Length of time before the ticket expires, specified in one of the following formats: `-duration [Days:]Hours:Minutes` `-` `duration Seconds` Password-generated tickets are bounded by the CLDB duration and renewal properties that are set for the cluster: `cldb.security.user.ticket.duration.seconds` (default=`1209600`) is used if duration is not specified while generating the ticket. `cldb.security.user.ticket.max.duration.seconds` (default=`2592000`) is the maximum duration allowed for a ticket. For password-generated tickets, if `-duration` is not set with the `maprlogin` command, the CLDB duration property is used by default. See config. NOTE The `service`, `servicewithimpersonation`, tenant, and `crosscluster` tickets may have a very long lifetime; their duration is not bounded by these properties. For service and crosscluster tickets, the default value is LIFETIME.	1209600 seconds (14 days) for user tickets LIFETIME for service and cross-cluster tickets
`-impersonatedgids`	The comma-separated list of GIDs to impersonate. This can only be specified when generating a servicewithimpersonation ticket. If this is specified, the ticket owner can only impersonate the specified groups or users belonging to the specified groups. If `impersonatedgids` and `impersonareduids` are not specified, the ticket holder can impersonate all users on the cluster except the root user or the mapr user.	No default
`-impersonateduids`	The comma-separated list of UIDs to impersonate. This can only be specified when generating a servicewithimpersonation ticket. If this is specified, the ticket owner can only impersonate the specified users. If `impersonatedgids` and `impersonareduids` are not specified, the ticket holder can impersonate all users on the cluster except the root user or the mapr user.	No default
`-out`	A safe directory location where the ticket will be stored. Can be used with `generateticket`, `password`, and `renew` commands. You must specify a location when generating service and tenant tickets. (This requirement ensures that other tickets are not overwritten.)	`/tmp/maprticket_<uid>` (default applies to non-service tickets only)
`-renewal`	Total lifetime of the ticket, specified in one of the following formats: `-renewal [Days:]Hours:Minutes` `-renewal Seconds` If `-renewal` is not set with the `maprlogin` command, the CLDB renewal property is set by default (`cldb.security.user.ticket.renew.duration.seconds`). You can also set the `cldb.security.user.ticket.renew.max.duration.seconds` property, which is the maximum duration (7776000, by default) allowed for a ticket renewal. NOTE Service, tenant, and crosscluster tickets are not bounded by these properties. For example, assume that the `maprlogin` command passes the following options for a service ticket: `-duration 30:0:0 -renewal 90:0:0` The ticket will expire after 30 days unless it is renewed. If a `maprlogin renew` command is submitted for the ticket before the initial 30 days pass, the ticket's lifetime may be extended up to a total maximum lifetime of 90 days. Tickets do not renew automatically; administrators must renew them with the `maprlogin renew` command, specifying a valid renewal period, and they must do this before the duration period ends. The renewal period must be less than or equal to the remaining amount of time allowed on the ticket. Using the same example, if you renew a ticket on the 29th day of its life, you can renew it for up to 61 days. You can renew a ticket incrementally, for some number of days at a time, as long as you do not exceed the original renewal value.	2592000 seconds (30 days)
`-ticketfile`	Optional with `print` and `renew` commands. Specifies the path to ticket file, if different from default. If this is not specified, the command looks for the ticketfile (`maprticket_<uid>`) in the default location, which is `/tmp` on Linux and `%TEMP%` on Windows systems or in the location specified by the environment variable, `$MAPR_TICKETFILE_LOCATION`.	Linux: `/tmp` Windows: `%TEMP%`
`-type`	Required ticket type for the `generateticket` command; value must be `service`, `servicewithimpersonation`, `tenant`, or `crosscluster:` `service` is used to generate service tickets for regular cluster operations. `servicewithimpersonation` is used to generate tickets for regular cluster operations, including allowing user to impersonate other users. `tenant` is used to generate tickets for tenant users/hosts. `crosscluster` is used to generate tickets for inter-cluster operations, such as remote mirroring. The `crosscluster` option only works with the `mapr` user.	No default; `-type` must be set in the `maprlogin generateticket` command.
`-user`	Required with the `generateticket` command. The UNIX user name of the user on the MapR cluster. For `crosscluster` tickets, the user must be `mapr`.	No default

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0