MapR 5.1 is at End of Life (EOL) and no longer supported. Please see the latest documentation. This documentation is not being updated.

Home
5.1 Administration
This section contains administration information such as managing your cluster, data, users, jobs and security information such as configuring your security environment and auditing.
Security Guide
Configuring MapR Security
Describes how to enable security features and configure the components on a secure cluster.
Securing Open Source Components
Describes how to use JAAS to configure security for open source components.

MapR 5.1 Documentation

5.1 Administration
This section contains administration information such as managing your cluster, data, users, jobs and security information such as configuring your security environment and auditing.
- Administrator Guide
- Security Guide
  - Security Overview
    Describes the security features of the MapR Converged Data Platform.
  - Security Architecture
    Describes the default security architecture and additional authentication and encryption capabilities.
  - Logging into a Secure Cluster
    Describes how to use tickets to access a secure MapR cluster.
  - Tickets and Certificates
    Describes how tickets and certificates authenticate users and servers to a cluster.
  - Getting Started with MapR Security
    Describes the two core scenarios that allow quick implementation of security features.
  - Configuring MapR Security
    Describes how to enable security features and configure the components on a secure cluster.
    - Enabling and Disabling Security Features on Your Cluster
      Describes how to enable and disable wire-level security on the nodes of your cluster.
    - Configuring Impersonation
      Describes how to use impersonation to centralize control over user actions.
    - Running Commands on Remote Secure Clusters
      Describes how to manage multiple secure clusters from one secure cluster.
    - Adding Cross-Cluster Tickets to Secure Clusters
      Describes how to add cross-cluster tickets to secure clusters that push and pull data.
    - PAM Configuration
      Describes how to use PAM to verify passwords.
    - Secured TaskTracker
      Describes how to control user access to TaskTracker.
    - Access Control Lists
      Describes how to create different types of ACLs.
    - Access Control Expressions
      Describes how to use ACEs to control user permissions for MapR-DB tables.
    - Permissions
      Describes requirements for API user permissions and file permissions.
    - Securing Open Source Components
      Describes how to use JAAS to configure security for open source components.
    - Configuring Kerberos User Authentication
      Describes how to configure Kerberos for the CLDB.
    - Mirror Volumes and Secure Clusters
      Describes how to configure security for the source and destination clusters of a mirror.
    - Configuring a MapR Cluster to Access a HDFS Cluster
      Describes how to create a connection between a MapR cluster and an HDFS cluster.
  - Auditing of Cluster Administration and Operations on Directories, Files, Tables, and Streams
    Describes how to process and use audit records to improve data analysis.

Securing Open Source Components

Describes how to use JAAS to configure security for open source components.

Open source components on a MapR cluster have several options for security. See the Ecosystem Guide for component-specific instructions.

General Security Configuration with JAAS

Open source components in the MapR Converged Data Platform use the Java Authentication and Authorization Service (JAAS) for security configuration. The /opt/mapr/conf/mapr.login.conf file defines JAAS configurations. The MAPR_ECOSYSTEM_LOGIN_OPTS environment variable in the /opt/mapr/conf/env.sh file specifies the JAAS configuration used by installed open source components. When security is enabled, the value of the MAPR_ECOSYSTEM_LOGIN_OPTS environment variable is modified to include the hybrid JVM option for hadoop.login. This is equivalent to setting the -Dhadoop.login=hybrid flag at the command line.This setting specifies a mixed security environment using Kerberos and internal MapR security technologies.

The mapr.login.conf file has two stanzas for hybrid security:

 /**
 * authenticate using hybrid of kerberos and MapR
 * maprticket must already exist on file system as MapR login module
 * cannot get kerberos identity from subject for implicit login.
 */

hadoop_hybrid {
  org.apache.hadoop.security.login.KerberosBugWorkAroundLoginModule optional
      useTicketCache=true
      renewTGT=true
      doNotPrompt=true;
  com.mapr.security.maprsasl.MaprSecurityLoginModule required
      checkUGI=false;
  org.apache.hadoop.security.login.GenericOSLoginModule required;
  org.apache.hadoop.security.login.HadoopLoginModule required
      principalPriority=com.mapr.security.MapRPrincipal;
};
 
hadoop_hybrid_keytab {
  org.apache.hadoop.security.login.KerberosBugWorkAroundLoginModule optional
      refreshKrb5Config=true
      doNotPrompt=true
      useKeyTab=true
      storeKey=true;
  com.mapr.security.maprsasl.MaprSecurityLoginModule required
      checkUGI=false
      useServerKey=true;
  org.apache.hadoop.security.login.GenericOSLoginModule required;
  org.apache.hadoop.security.login.HadoopLoginModule required
      principalPriority=com.mapr.security.MapRPrincipal;
};