MapR 5.1 is at End of Life (EOL) and no longer supported. Please see the latest documentation. This documentation is not being updated.

Home
5.1 Administration
This section contains administration information such as managing your cluster, data, users, jobs and security information such as configuring your security environment and auditing.
Security Guide
Configuring MapR Security
Describes how to enable security features and configure the components on a secure cluster.
Access Control Expressions
Describes how to use ACEs to control user permissions for MapR-DB tables.
Creating User Roles for Access Control Expressions
Describes how to define user actions through roles.

MapR 5.1 Documentation

5.1 Administration
This section contains administration information such as managing your cluster, data, users, jobs and security information such as configuring your security environment and auditing.
- Administrator Guide
- Security Guide
  - Security Overview
    Describes the security features of the MapR Converged Data Platform.
  - Security Architecture
    Describes the default security architecture and additional authentication and encryption capabilities.
  - Logging into a Secure Cluster
    Describes how to use tickets to access a secure MapR cluster.
  - Tickets and Certificates
    Describes how tickets and certificates authenticate users and servers to a cluster.
  - Getting Started with MapR Security
    Describes the two core scenarios that allow quick implementation of security features.
  - Configuring MapR Security
    Describes how to enable security features and configure the components on a secure cluster.
    - Enabling and Disabling Security Features on Your Cluster
      Describes how to enable and disable wire-level security on the nodes of your cluster.
    - Configuring Impersonation
      Describes how to use impersonation to centralize control over user actions.
    - Running Commands on Remote Secure Clusters
      Describes how to manage multiple secure clusters from one secure cluster.
    - Adding Cross-Cluster Tickets to Secure Clusters
      Describes how to add cross-cluster tickets to secure clusters that push and pull data.
    - PAM Configuration
      Describes how to use PAM to verify passwords.
    - Secured TaskTracker
      Describes how to control user access to TaskTracker.
    - Access Control Lists
      Describes how to create different types of ACLs.
    - Access Control Expressions
      Describes how to use ACEs to control user permissions for MapR-DB tables.
      - Syntax of Access Control Expressions
        Describes how to use boolean expressions to combine user, group, and role definitions.
      - Creating User Roles for Access Control Expressions
        Describes how to define user actions through roles.
      - Enabling Table Authorizations with Access Control Expressions
        Describes how to set permissions for tables.
      - Access Control Expressions for MapR-FS
        Describes how to define access to files, directories, and whole volume data using user, group, and role definitions.
    - Permissions
      Describes requirements for API user permissions and file permissions.
    - Securing Open Source Components
      Describes how to use JAAS to configure security for open source components.
    - Configuring Kerberos User Authentication
      Describes how to configure Kerberos for the CLDB.
    - Mirror Volumes and Secure Clusters
      Describes how to configure security for the source and destination clusters of a mirror.
    - Configuring a MapR Cluster to Access a HDFS Cluster
      Describes how to create a connection between a MapR cluster and an HDFS cluster.
  - Auditing of Cluster Administration and Operations on Directories, Files, Tables, and Streams
    Describes how to process and use audit records to improve data analysis.

Creating User Roles for Access Control Expressions

Describes how to define user actions through roles.

Roles are a label attached to a set of users that defines a common task or set of behaviors for those users. Roles enable you to use functionality similar to Unix groups for your users without requiring you to alter your system's existing group hierarchy. A role's name can be up to 64 characters long and cannot use the :, &, |, or ! characters. User roles are defined in the /opt/mapr/conf/m7_permissions_roles_refimpl.conf file, which must be identical across all nodes in the cluster. The m7_permissions_roles_refimpl.conf file has the following format:

# The # character indicates comments. Role names must end with a : character.
rolename1:
# Usernames or user IDs are specified on a line after the role name. You can mix user names and user IDs.
username1|userid1
username2|userid2
...
usernameN|useridN
rolename2:
...
# The m7_permissions_roles_refimpl.conf file can have any number of blank lines.
rolenameN:

After adding a new role to the m7_permissions_roles_refimpl.conf file, you must issue the following command to enable the MapR-FS layer to pick up the new role:

$ /opt/mapr/server/mrconfig dbrolescache invalidate

The Roles Library Shared Object and Access Control Expressions

By default, the roles library shared object libmapr_roles_refimpl.so is located in the /opt/mapr/server/permissions/ directory. This shared object uses the C++ syntax and contains the GetSecurityMembership class. Each time an object secured by an ACE is accessed, the MapR-FS layer calls the roles library shared object and checks the permissions of the entity requesting access against the contents of the roles file. The roles library shared object reads the roles file every 600 seconds. You can specify your own roles library shared object and specify the location of that object in the mfs.conf file.