2.2.1. Creating Rules

  • Simple Rules

    To make a simple map between principal names and UNIX users, you create a straightforward substitution rule. For example, to map the ResourceManager(rm) and NodeManager(nm) principals in the EXAMPLE.COM realm to the UNIX $YARN_USER user and the NameNode(nn) and DataNode(dn) principals to the UNIX $HDFS_USER user, you would make this the value for the hadoop.security.auth_to_local key in core-site.xml.

    RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/$YARN_USER /
    RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/ $HDFS_USER/
  • Complex Rules

    To accommodate more complex translations, you create a hierarchical set of rules to add to the default. Each rule is divided into three parts: base, filter, and substitution.

    • The Base:

      The base begins with the number of components in the principal name (excluding the realm), followed by a colon, and the pattern for building the user name from the sections of the principal name. In the pattern section $0 translates to the realm, $1 translates to the first component and $2 to the second component.

      For example:

      [1:$1@$0] translates myusername@APACHE.ORG to myusername@APACHE.ORG

      [2:$1] translates myusername/admin@APACHE.ORG to myusername

      [2:$1%$2] translates myusername/admin@APACHE.ORG to myusername%admin

    • The Filter:

      The filter consists of a regex in a parentheses that must match the generated string for the rule to apply.

      For example:

      (.*%admin)matches any string that ends in %admin

      (.*@SOME.DOMAIN) matches any string that ends in @SOME.DOMAIN

    • The Substitution:

      The substitution is a sed rule that translates a regex into a fixed string.

      For example:

      s/@ACME\.COM// removes the first instance of @SOME.DOMAIN.

      s/@[A-Z]*\.COM// removes the first instance of @ followed by a name followed by COM.

      s/X/Y/g replaces all of the X in the name with Y