If you have chosen to use existing MIT or Active Directory Kerberos infrastructure with your cluster, it is important to tell the cluster how to map usernames from those existing systems to principals within the cluster. This is required to properly translate username syntaxes from existing systems to Hadoop to ensure usernames can be mapped successfully.
Hadoop uses a rule-based system to create mappings between service principals and their related UNIX usernames. The rules are specified using the configuration property hadoop.security.auth_to_local as part of core-site.
The default rule is simply named DEFAULT. It translates all principals in your default domain to their first component. For example, myusername@EXAMPLE.COM and myusername/admin@EXAMPLE.COM both become myusername, assuming your default domain is EXAMPLE.COM. In this case, EXAMPLE.COM represents the Kerberos realm, or Active Directory Domain that is being used.
