Hadoop uses users' group memberships at various places for things like determining group ownership for files or for access control. To configure Hadoop for use with Kerberos and Ambari you must create a mapping between service principals and these UNIX user names.
A user is mapped to the groups it belongs to using an implementation of
the GroupMappingServiceProviderinterface. The implementation
is pluggable and is configured in core-site.xml.
By default Hadoop uses ShellBasedUnixGroupsMapping, which is an
implementation of GroupMappingServiceProvider. It fetches the
group membership for a user name by executing a UNIX shell command. In secure
clusters, since the user names are actually Kerberos
principals, ShellBasedUnixGroupsMapping will work only if the
Kerberos principals map to valid UNIX user names. Hadoop provides a feature that
lets administrators specify mapping rules to map a Kerberos principal to a local
UNIX user name .
