AnsweredAssumed Answered

Motivation behind using a service ticket rather then user impersonation for a service?

Question asked by reedv on Jan 22, 2018
Latest reply on Jan 22, 2018 by maprcommunity

What is the effective difference between running a service with a mapr service ticket as user "mapr" as opposed to setting it up to impersonate user "mapr" (or some other user, in both cases)? Looking at the docs, it seems like the only difference is that you can set a service ticket to never expire, while a user ticket has no such ability (in the case of using impersonation). Also, in the context of auditing volumes (with the marcli expandaudit command) is there a difference between what the logged username looks like when impersonating a mapr user vs using a mapr service ticket for that user?

 

Ultimately, I am asking because I am currently running streamsets on mapr and am using hadoop impersonation mode to use the streamsets service on the cluster as the admin user "mapr". For security reasons, I would like to know the difference between impersonation and service ticket. Also, would like to be able to see what actions the streamsets service was responsible for when drill-exploring expandaudit logs (as currently all operations are logged as being done by "mapr"). 

Thanks.

Outcomes