maprlogin
Authenticates logins to secure HPE Ezmeral Data Fabric clusters.
The /opt/mapr/bin/maprlogin
command line tool enables users to log into
secure MapR clusters. Users authenticate themselves to the cluster with a maprticket
that
can be generated in the following ways:
- Run
maprlogin password
to authenticate with username and password. - Run
maprlogin generateticket
to request a service, tenant, or cross-cluster ticket for use by an external application or user account (based on the current user's ticket). - Run
maprlogin kerberos
after generating a Kerberos ticket with thekinit
command.
maprticket_<uid>
) and every node in the cluster must have
a MapR server ticket (maprserverticket
).For more details about different ways to generate tickets, see Tickets.
Syntax
/opt/mapr/bin/maprlogin <argument> <option>
Arguments
Argument |
Description |
---|---|
authtest |
Simulates runtime behavior during authentication. The following is the
syntax for running the maprlogin command with this
argument: For
more information, see Options. |
end|logout |
Logs out of the cluster. The following is the syntax for running the
maprlogin command with this argument:
For
more information, see Options. |
generateticket |
Generates a ticket for another user or application. The user who runs the
maprlogin command with this option must already have a
user ticket and must have fc (full control) ACL
authorization on the cluster. See acl set.The
following is the syntax for running the For
more information, see Options. |
kerberos |
Indicates the presence of a Kerberos ticket. The following is the syntax
for running the maprlogin command with this argument:
For
more information, see Options. |
password |
The user's UNIX password. The following is the syntax for running the
maprlogin command with this argument:
For
more information, see Options. |
print |
Prints ticket of any type and contains information including the cluster
name, the user ID, the date when the ticket was created, the ticket
expiration date, and whether user can impersonate other users, and whether
the ticket is for a tenant. In the service tickets, the value for
The following is the syntax for running the
For
more information, see Options. |
renew |
Renews the ticket, given a duration that does not cause the ticket to
exceed its maximum lifetime. The original -renewal value
for the ticket determines its maximum lifetime. The following is the syntax
for running the maprlogin command with this argument:
For
more information, see Options. |
Options
Option |
Description |
Default |
---|---|---|
-cluster
|
Name of the cluster to log into. | First cluster name in the
/opt/mapr/conf/mapr-clusters.conf file. |
-duration
|
Length of time before the ticket expires, specified in one of the following formats:
Password-generated tickets are bounded by the CLDB duration and renewal properties that are set for the cluster:
For password-generated tickets, if See config. NOTE The service ,
servicewithimpersonation , tenant, and
crosscluster tickets may have a very long lifetime;
their duration is not bounded by these properties. For service and
crosscluster tickets, the default value is LIFETIME. |
|
-impersonatedgids |
The comma-separated list of GIDs to impersonate. This can only be specified
when generating a servicewithimpersonation ticket. If this is specified, the
ticket owner can only impersonate the specified groups or users belonging to
the specified groups. If |
No default |
-impersonateduids |
The comma-separated list of UIDs to impersonate. This can only be specified
when generating a servicewithimpersonation ticket. If this is specified, the
ticket owner can only impersonate the specified users. If
|
No default |
-out
|
A safe directory location where the ticket will be stored. Can be used with
generateticket , password , and
renew commands.You must specify a location when generating service and tenant tickets. (This requirement ensures that other tickets are not overwritten.) |
/tmp/maprticket_<uid>
(default applies to non-service tickets only) |
-renewal
|
Total lifetime of the ticket, specified in one of the following formats:
If NOTE Service, tenant, and crosscluster tickets are
not bounded by these properties.For example, assume that the
The ticket will expire after 30 days unless it is renewed. If a
Using the same example, if you renew a ticket on the 29th day of its life, you can renew it for up to 61 days. You can renew a ticket incrementally, for some number of days at a time, as long as you do not exceed the original renewal value. |
2592000 seconds (30 days) |
-ticketfile |
Optional with print and renew commands.
Specifies the path to ticket file, if different from default. If this is not
specified, the command looks for the ticketfile
(maprticket_<uid> ) in the default location, which is
/tmp on Linux and %TEMP% on Windows
systems or in the location specified by the environment variable,
$MAPR_TICKETFILE_LOCATION . |
|
-type
|
Required ticket type for the generateticket command; value
must be service , servicewithimpersonation ,
tenant , or crosscluster:
|
No default; -type must be set in the
maprlogin generateticket command. |
-user
|
Required with the generateticket command. The UNIX user
name of the user on the MapR cluster. For |
No default |