Simple Rules
To make a simple map between principal names and UNIX users, you create a straightforward substitution rule. For example, to map the ResourceManager(rm) and NodeManager(nm) principals in the EXAMPLE.COM realm to the UNIX
$YARN_USER
user and the NameNode(nn) and DataNode(dn) principals to the UNIX$HDFS_USER
user, you would make this the value for thehadoop.security.auth_to_local
key incore-site.xml
.RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/$YARN_USER / RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/ $HDFS_USER/ DEFAULT
Complex Rules
To accommodate more complex translations, you create a hierarchical set of rules to add to the default. Each rule is divided into three parts: base, filter, and substitution.
The Base:
The base begins with the number of components in the principal name (excluding the realm), followed by a colon, and the pattern for building the user name from the sections of the principal name. In the pattern section
$0
translates to the realm,$1
translates to the first component and$2
to the second component.For example:
[1:$1@$0]
translatesmyusername@APACHE.ORG
tomyusername@APACHE.ORG
[2:$1]
translatesmyusername/admin@APACHE.ORG
tomyusername
[2:$1%$2]
translatesmyusername/admin@APACHE.ORG
tomyusername%admin
The Filter:
The filter consists of a regex in a parentheses that must match the generated string for the rule to apply.
For example:
(.*%admin)
matches any string that ends in%admin
(.*@SOME.DOMAIN)
matches any string that ends in@SOME.DOMAIN
The Substitution:
The substitution is a sed rule that translates a regex into a fixed string.
For example:
s/@ACME\.COM//
removes the first instance of@SOME.DOMAIN
.s/@[A-Z]*\.COM//
removes the first instance of@
followed by a name followed byCOM
.s/X/Y/g
replaces all of theX
in the name withY