Security Guide : 9. Vector in Secure Hadoop : Native and Kerberos Security Support on MapR
 
Share this page                  
Native and Kerberos Security Support on MapR
VectorH supports both methods of authentication supported by MapR: Native MapR Security and Kerberos.
VectorH manages authentication for Kerberos only. For information on how to enable authentication methods for MapR Security, consult the MapR documentation (http://doc.mapr.com/display/MapR/Security+Guide).
Secure MapR
MapR has its own native security infrastructure. When enabled, access to MapR services (maprfs, YARN, and so on) requires a valid ticket. User authentication and ticket management is provided by the maprlogin utility. To access any MapR service, users must first run mapr password to authenticate themselves to the cluster. Once authenticated, a time-limited ticket is issued. Users can then access services for as long as their ticket is valid. Valid tickets can be renewed using maprlog renew. Because native security requires manual interaction, VectorH does not support automatic ticket management and renewal. A valid MapR ticket must be obtained for the “actian” user (or instance owner) for each node VectorH is to be installed on before the installation will continue. We recommend using service tickets as they have longer expiration times than the user tickets maprlogin issues by default. For more information on service tickets, see http://doc.mapr.com/display/MapR/Tickets+and+Certificates#TicketsandCertificates-GeneratingaServiceTicket.
For general information on Secure MapR tickets and the maprlogin utility, see http://doc.mapr.com/display/MapR/Tickets+and+Certificates.
MapR and Kerberos
Unlike Hadoop distributions that use HDFS, MapR does not use Kerberos directly for authentication and authorization. When Kerberos security is enabled, the native MapR security infrastructure is still used to secure the cluster but Kerberos can be used to authenticate users when requesting tickets from the maprlogin utility.
To authenticate using Kerberos, the user first obtains a valid Kerberos ticket using the kinit utility, then requests a MapR ticket using maprlogin kerberos. If maprlogin is satisfied that the user holds a valid Kerberos ticket for the Kerberos MapR Service Principal (typically mapr/mapr.cluster.name@KRB5.REALM), a MapR ticket is issued.
Because Kerberos tickets can be issued without user interaction by using a keytab file, VectorH transparently creates and renews Kerberos and MapR tickets for each database (as it does for HDFS clusters secured with Kerberos). To facilitate this, Kerberos tickets are managed by the kinit and krenew utilities (instead of the k5start utility). This allows the maprlogin utility to be run after the Kerberos ticket is issued but before the TGT server is started. The krenew utility is similar to k5start except that it monitors and renews Kerberos tickets instead of creating them. This has the added advantage that a renewable ticket can be requested using kinit -r even when renewable tickets are not specified as the default in the local /etc/krb5.conf.
On X100 server startup, runkstart launches startauth on all nodes. Startauth then does the following:
kinit -r -> maprlogin kerberos -> krenew
After it has renewed the Kerberos ticket, krenew can optionally run an auxiliary executable to run maprlogin kerberos.
Note:  Because VectorH is monitoring Kerberos tickets and not MapR tickets the Kerberos ticket lifetime should be the same or greater than the MapR ticket lifetime to prevent the MapR ticket expiring before the Kerberos ticket needs renewing. For more information on krenew, see http://linux.die.net/man/1/krenew.
As with Kerberos, private MapR ticket caches are maintained under $II_SYSTEM/ingres/files/krb5/cache on a per database basis. The caches are files named maprticket_dbname. You can use the runkstart utility with the -list flag to view current Kerberos and MapR tickets. For example:
runkstart -list -dbname dbname
Authentication During Installation on MapR
When MapR security is enabled, the installer attempts to verify that a valid MapR ticket has been issued for both the “actian” and “mapr” users. If not, an error is issued and the installation aborts:
Checking 'actian' credentials...
Attempting to pick up default credentials for cluster host04-mapr1.actian.com
Unable to authenticate as ticket is not available
Run:
maprlogin password|kerberos
to obtain appropriate credentials for the 'actian' user.
ERROR: Security authentication failed. The installation cannot proceed
until this issue has been resolved
Installation cannot continue, aborting...
When Kerberos security is enabled, the installer requires a principal and keytab file to be specified.