Configuring Impersonation

Describes how to use impersonation to centralize control over user actions.

Impersonation, also known as identity assertion, is one user (the mapr super user) accessing data and submitting jobs on behalf of another user. Impersonation in MapR allows centralized control of access to resources in the MapR-FS, MapR-DB, and HBase systems.

Example: Access Control and Impersonation

As an example of impersonation, consider user Bob and a generic Service X:

  1. Bob launches a client for the service and may or may not provide credentials.
  2. Service X authenticates Bob and establishes a connection for him to use.
  3. Bob issues a command to the service that will produce a query.
  4. The service uses the mapr superuser to authenticate with the datastore - MapR-FS/MapR-DB or HBase.
  5. The datastore authenticates the mapr superuser - the service can now proceed.
  6. The service sends the datastore a query, as user Bob.
  7. The datastore checks permissions for Bob on the assets that the query will access.
  8. If Bob has permissions, the datastore returns the query results to the service, which relays the results to the client, and the query succeeds.
  9. If Bob does not have permissions, the datastore sends an access error to the service, which relays the error to the client, and the query fails.

When you use impersonation in MapR:

  • The datastore permissions are authoritative.
  • The process has end-to-end security.
  • Users can do nothing more and nothing less than what they are authorized to do.
  • This control is independent of remote authentication and security mechanisms that control user access to application features.
  • Any permissions set up within applications, or within the UNIX file system permissions on servers where MapR components reside, have no effect on user access to MapR resources.
  • The mapr superuser is allowed to impersonate any MapR user in any group, connecting from any host.

Using Impersonation without Enabling Security

Although it is possible to enable impersonation in an insecure MapR installation, MapR strongly recommends against doing this. The implementation rules are different, and setting up the MapR environment with impersonation operating under those rules makes it very difficult to enable security at a later date. Disabling security in a secure MapR installation is easy, if the need arises.

If you choose to implement impersonation in an insecure MapR cluster, see Configuring Impersonation when Cluster Security is not Enabled. In general, the documentation of impersonation in this Security Guide assumes that security is enabled in your MapR installation. See Enabling and Disabling Security on Your Cluster.