Managing Tickets

Introduces authentication using tickets for users and HPE Ezmeral Data Fabric servers.

HPE Ezmeral Data Fabric implements authentication with tickets. Tickets contain keys and are used to authenticate users and HPE Ezmeral Data Fabric servers. In addition, certificates are used to implement server authentication. Every user who wants to access a cluster must have a HPE Ezmeral Data Fabric user ticket (maprticket_<uid>). Every node in the cluster must have an HPE Ezmeral Data Fabric server ticket (maprserverticket).

A ticket is an object that contains specific information about a user and a key. A ticket authenticates a user to the cluster. Tickets are encrypted to protect their contents. The following table describes the tickets used by HPE Ezmeral Data Fabric for internal cluster operations, the user who can generate the ticket, and the command used to generate the ticket. This type of ticket should only be placed on cluster nodes.

Ticket Type	Description	Permissions/Command to Generate Ticket
`maprserver`	For (internal) cluster operations. This type of ticket can be long lasting.	User root using the `configure.sh` utility
`crosscluster`	For (internal) cross-cluster operations, such as mirroring and replication. This type of ticket can be long lasting.	User mapr using the `maprlogin` utility. The UID of the ticket (mapr) is always used as the identity of the entity using this ticket.

The following table describes the type of tickets supported by HPE Ezmeral Data Fabric for users and services, and whether the ticket can be used to impersonate another user. All of these tickets, except the user ticket, can only be generated by the cluster administrator using the maprlogin utility. The user ticket can be generated by any valid user using the maprlogin utility. These type of tickets can be placed on both cluster and client nodes and support (FUSE-based and loopbacknfs) POSIX clients and HDFS APIs.

Ticket Type	Description	Impersonation support	Notes
user	For granting access to individual users. This type of ticket has a short duration.	N/A^*	The UID of the ticket (implicit or explicit value of the `-user` parameter to `maprlogin` command) is used as the identity of the entity using this ticket, except for the exceptions noted here for user `root` and user `mapr`.
service	For accessing services running on client nodes. This type of ticket can have long duration.	N/A^*	The UID of the ticket (explicit value of the `-user` parameter to `maprlogin` command) is used as the identity of the entity using this ticket, except for the exceptions noted here for user `root` and user `mapr`.
servicewithimpersonation (not scoped)	For accessing services running on client nodes to run jobs on behalf of any user (except user `mapr`). This type of ticket can have long duration.	Yes	The ticket cannot be used to impersonate user `root` or user `mapr`.
servicewithimpersonation (scoped)	For accessing services running on client nodes to run jobs on behalf of the users (except user `root` and user `mapr`) specified in the ticket. This type of ticket can have long duration.	Yes	At ticket generation time, you cannot specify UID/GID of user `root` or user `mapr` to impersonate user root or user mapr respectively. NOTE In release 6.0.1, scoped impersonation works with FUSE-based POSIX clients. Scoped impersonation cannot be used with NFS and loopbacknfs POSIX clients. To use scoped impersonation in release 6.0.1, obtain the 6.0.1 EBF patch for RPM or DEB-based distributions from HPE Ezmeral Data Fabric Support, and install the patch.
servicewithimpersonationandticket	Allows some ticket holders to generate tickets subject to their impersonation authority. This type of ticket can have long duration.	Yes	Can be scoped or not scoped. See Generating an Impersonation Ticket with Ticket Generation Privileges. Supported in release 7.0.0 and later.
tenant	For tenant user(s) to access tenant volume(s) in a multi-tenant environment. This type of ticket can have long duration.	Yes	The ticket can be used to impersonate user `root` but cannot be used to impersonate user `mapr`.

^* Exceptions:

User mapr can impersonate other users (including user root)
User root can impersonate other users (excluding user mapr)

IMPORTANT

The identity of the user that authenticates with the maprlogin utility is independent from the identity of the user of the client OS.

HPE Ezmeral Data Fabric tickets contain the following information:

UID (generated from the UNIX user ID)
GIDs (group IDs for each group to which the user belongs)
Ticket creation time
Ticket expiration time (initial duration of the ticket)
Renewal expiration time (maximum lifetime of the ticket)
Whether user can (true) or cannot (false) impersonate another user

Since a ticket contains the GIDs for a user at the time the ticket is generated, the user must re-generate their ticket after changing group memberships.

Syntax and Examples of Creating and Managing User Tickets

For complete syntax, see The maprlogin Utility. For examples of creating and managing user tickets, see maprlogin Command Examples

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0