Starting the mapr-loopbacknfs Service to Access a Cluster
Ticket usage guidance
- Use the mapr user ticket on one or more cluster nodes.
- Use the servicewithimpersonation ticket on nodes that:
- Do not require a mapr user ticket, or
- On nodes where you do not want a mapr user ticket to live.
- End users (who install on their own node), can:
- Use their own ticket to start, or
- Work with a cluster administrator to generate a long-lived service ticket.
Since the NFS server runs based on a single user's ticket, it can act on behalf of only one user. Therefore, the UID or GID associated with the ticket must match the UID or GID of any user who accesses the NFS server via MapR POSIX Client.
Securing the cluster so that only one user can have secure access provides tight control over cluster access, but it also means that any user on the client who is able to read the generated ticket will have read access to all data in the cluster.
Prerequisites for accessing a secure cluster:
- Enable security for the cluster. See Enabling and Disabling Security Features on Your Cluster.
- Generate a user ticket. See Generating a MapR User Ticket for instructions. To support impersonation, the service should be started with the mapr user ticket. If you do not already have a mapr user ticket, with full control ACL authorization on the cluster, a cluster administrator must generate your user ticket. (Note that securing the cluster so that only one user can have secure access provides tight control over cluster access, but it also means that any user on the client who is able to read the generated ticket will have read access to all data in the cluster.)
-
- Go to a server node in the MapR cluster to which you want to connect.
- Be sure to run
maprlogin
password to log in first. This will generate a mapr user ticket. The user that logs in must be a privileged user, such as the mapr superuser.
- Next, generate either a service with impersonation ticket or a service ticket.
- Service with impersonation ticket. With this ticket, the MapR
service(s) use the client user’s identity for access instead of the privileged
mapr user identity. See How Impersonation Works for details.
Example
# maprlogin generateticket -type servicewithimpersonation -user mapruser1 -out /var/tmp/longlived_ticket1 -duration 30:0:0 -renewal 90:0:0
- Service ticket. With this ticket, the user for whom the ticket is
generated can be any user. For security reasons, you would choose a service
ticket if you do not want to run all application service processes as the mapr
user. With a service ticket, you access the cluster for the user account that
runs the service. See Generating a Service Ticket for details.
Example
# maprlogin generateticket -type service -user mapruser1 -out /var/tmp/longlived_ticket2 -duration 365:0:0
- Service with impersonation ticket. With this ticket, the MapR
service(s) use the client user’s identity for access instead of the privileged
mapr user identity. See How Impersonation Works for details.
- Copy the user ticket file from the cluster server node where you generated it to the
/usr/local/mapr-loopbacknfs/conf
directory on the client machine where the MapR POSIX client will run. - Set the value for the MAPR_TICKETFILE_LOCATION variable in the
/user/local/mapr-loopbacknfs/conf/env.sh
file to the path to the mapr user ticket. See Generating a Service Ticket for details.Example
/usr/local/mapr-loopbacknfs/conf/longlived_ticket1
Start the mapr-loopbacknfs service and mount the volume
- Start the mapr-loopbacknfs service from the command line.
# service mapr-loopbacknfs start
- Create a mount point at
/mapr
and mount the client node to it.# mkdir /mapr # mount localhost:/mapr /mapr
- You can also automate the mounting of the volume with every launch of the
mapr-loopbacknfs service. On the POSIX client node, create
/usr/local/mapr-loopbacknfs/conf/mapr_fstab
and add the following line:localhost:/mapr /mapr hard,nolock