Native and Kerberos Security Support on MapR

MapR has its own native security infrastructure. When enabled, access to MapR services (maprfs, YARN, and so on) requires a valid ticket. User authentication and ticket management is provided by the maprlogin utility. To access any MapR service, users must first run mapr password to authenticate themselves to the cluster. Once authenticated, a time-limited ticket is issued. Users can then access services for as long as their ticket is valid. Valid tickets can be renewed using maprlog renew. Because native security requires manual interaction, VectorH does not support automatic ticket management and renewal. A valid MapR ticket must be obtained for the “actian” user (or instance owner) for each node VectorH is to be installed on before the installation will continue. We recommend using service tickets as they have longer expiration times than the user tickets maprlogin issues by default. For more information on service tickets, see http://doc.mapr.com/display/MapR/Tickets+and+Certificates#TicketsandCertificates-GeneratingaServiceTicket.

For general information on Secure MapR tickets and the maprlogin utility, see http://doc.mapr.com/display/MapR/Tickets+and+Certificates.

Unlike Hadoop distributions that use HDFS, MapR does not use Kerberos directly for authentication and authorization. When Kerberos security is enabled, the native MapR security infrastructure is still used to secure the cluster but Kerberos can be used to authenticate users when requesting tickets from the maprlogin utility.

To authenticate using Kerberos, the user first obtains a valid Kerberos ticket using the kinit utility, then requests a MapR ticket using maprlogin kerberos. If maprlogin is satisfied that the user holds a valid Kerberos ticket for the Kerberos MapR Service Principal (typically mapr/mapr.cluster.name@KRB5.REALM), a MapR ticket is issued.

Because Kerberos tickets can be issued without user interaction by using a keytab file, VectorH transparently creates and renews Kerberos and MapR tickets for each database (as it does for HDFS clusters secured with Kerberos). To facilitate this, Kerberos tickets are managed by the kinit and krenew utilities (instead of the k5start utility). This allows the maprlogin utility to be run after the Kerberos ticket is issued but before the TGT server is started. The krenew utility is similar to k5start except that it monitors and renews Kerberos tickets instead of creating them. This has the added advantage that a renewable ticket can be requested using kinit -r even when renewable tickets are not specified as the default in the local /etc/krb5.conf.

On X100 server startup, runkstart launches startauth on all nodes. Startauth then does the following:

After it has renewed the Kerberos ticket, krenew can optionally run an auxiliary executable to run maprlogin kerberos.

Note: Because VectorH is monitoring Kerberos tickets and not MapR tickets the Kerberos ticket lifetime should be the same or greater than the MapR ticket lifetime to prevent the MapR ticket expiring before the Kerberos ticket needs renewing. For more information on krenew, see http://linux.die.net/man/1/krenew.

As with Kerberos, private MapR ticket caches are maintained under $II_SYSTEM/ingres/files/krb5/cache on a per database basis. The caches are files named maprticket_dbname. You can use the runkstart utility with the -list flag to view current Kerberos and MapR tickets. For example: