How to Use the Impersonation Feature on MapR-FS

In this article, I am going to show you how to use the MapR-FS impersonation feature to create and access a file in MapR-FS. In this example, we will run a Java program as the “mapr” superuser that will run operations on behalf of the “user01” user.

Impersonation
Impersonation, also known as identity assertion, is one user (e.g., “mapr”) accessing data and submitting jobs on behalf of another user (e.g., “user01”). This ensures that users can interact with any service and only get access to data for which they are authorized, even if that service is run by a different user. Impersonation in MapR allows centralized control of access to resources in MapR-FS, MapR-DB, MapReduce, and ecosystem components/frameworks.

Enabling impersonation for the mapr superuser:

  1. Log on to one of the cluster nodes as the “mapr” user (superuser).
  2. Open /opt/mapr/hadoop/hadoop-<version>/etc/hadoop/core-site.xml file.
  3. Add the following properties if they are not already available:

    The hosts setting (*) allows the “mapr” superuser to connect from any host to impersonate a user.
    The groups setting (*) allows the “mapr” superuser to impersonate users from any group.
  4. Set MAPR_IMPERSONATION_ENABLED environment variable to 1 or true.
    export MAPR_IMPERSONATION_ENABLED=1
  5. The full Java program that shows how impersonation works is displayed below:
    /* Copyright (c) 2009 & onwards. MapR Tech, Inc., All rights reserved */
    
    import org.apache.hadoop.fs.*;
    import org.apache.hadoop.conf.*;
    import org.apache.hadoop.security.UserGroupInformation;
    import java.io.IOException;
    import java.security.PrivilegedExceptionAction;
    
    
    /**
     * Assumes mapr installed in /opt/mapr
     * In order to see how impersonation works, run this program as mapr user.
     *
     */
    public class ImpersonationTest
    {
      public static void main(final String args[]) throws IOException,
          InterruptedException {
        if (args.length != 1) {
          System.out.println("usage: ImpersonationTest pathname");
          return;
        }
        System.out.println("User running the application is : "
            + UserGroupInformation.getCurrentUser());
    
        // Create proxy user for "user01"
        UserGroupInformation ugi = UserGroupInformation.createProxyUser("user01",
            UserGroupInformation.getCurrentUser());
        // Run the file system commands as "user01"
        ugi.doAs(new PrivilegedExceptionAction() {
          @Override
          public Void run() {
            runFsCommand(args);
            return null;
          }
        });
      }
    
      public static void runFsCommand(String args[]) {
        // maprfs:/// -> uses the first entry in /opt/mapr/conf/mapr-clusters.conf
        // maprfs:///mapr/my.cluster.com/
        // /mapr/my.cluster.com/
        try {
          byte buf[] = new byte[ 65*1024];
          int ac = 0;
          String dirname = args[ac++];
          Configuration conf = new Configuration();
          // if wanting to use a different cluster
          //FileSystem fs = FileSystem.get(URI.create(uri), conf);
          FileSystem fs = FileSystem.get(conf);
          Path dirpath = new Path( dirname + "/dir");
          Path wfilepath = new Path( dirname + "/file.w");
          Path rfilepath = wfilepath;
          // try mkdir
          boolean res = fs.mkdirs( dirpath);
          if (!res) {
            System.out.println("mkdir failed, path: " + dirpath);
            return;
          }
          System.out.println( "mkdir( " + dirpath + ") went ok, now writing file");
          // create wfile
          FSDataOutputStream ostr = fs.create( wfilepath,
              true, // overwrite
              512, // buffersize
              (short) 1, // replication
              (long)(64*1024*1024) // chunksize
          );
          ostr.write(buf);
          ostr.close();
          System.out.println( "write( " + wfilepath + ") went ok");
          // read rfile
          System.out.println( "reading file: " + rfilepath);
          FSDataInputStream istr = fs.open( rfilepath);
          istr.close();
          System.out.println( "Read ok");
        } catch (Exception e) {
          e.printStackTrace();
        }
      }
    }
    
  6. Impersonation is achieved by the following code block:
    // Create proxy user for "user01"
    UserGroupInformation ugi = UserGroupInformation.createProxyUser("user01",
        UserGroupInformation.getCurrentUser());
    // Run the file system commands as "user01"
    ugi.doAs(new PrivilegedExceptionAction() {
      @Override
      public Void run() {
        runFsCommand(args);
        return null;
      }
    });
    
    In this block, UserGroupInformation.getCurrentUser() is the “mapr” user who is currently running the Java application, and “user01” is the user to be impersonated. UserGroupInformation.createProxyUser method creates a proxy user using the “user01” user and UserGroupInformation of the real user (“mapr”). The ugi.doAs() block runs runFsCommand(args) action as “user01”. Once the program runs successfully, the “/user/user01/dir” directory and “/user/user01/file.w” file are created with “user01” permissions even though the application was run as the “mapr” user.

  7. Compile and run.
    javac -cp $(hadoop classpath) ImpersonationTest.java java -cp .:$(hadoop classpath) ImpersonationTest /user/user01

  8. Sample output is shown below. From the output, you can see we were able to create the directory and file with “user01” permissions because of impersonation.
  9. The following Hadoop command shows the permissions for the dir and file, and both of them will have user permissions of “user01.”

Impersonation is an important feature that is required for any environment with sensitive data. Be sure to use it whenever you need to run programs or services as one user (typically the superuser), but want to restrict data access to the user making the actual request.

In this blog post, you learned how to use the MapR-FS impersonation feature to create and access a file in MapR-FS. If you have any further questions regarding MapR-FS, please ask them in the comments section below.

To learn more, please take a look at the official product documentation: http://doc.mapr.com/display/MapR41/Configuring+Impersonation+in+MapR

no

CTA_Inside

Ebook: Getting Started with Apache Spark
Interested in Apache Spark? Experience our interactive ebook with real code, running in real time, to learn more about Spark.

Streaming Data Architecture:

New Designs Using Apache Kafka and MapR Streams

 

 

 

Download for free