Configuring HDP for Kerberos has two parts:
Creating a mapping between service principals and OS service usernames.
Hadoop uses group memberships of users at various places, such as to determine group ownership for files or for access control.
A user is mapped to the groups it belongs to using an implementation of the
GroupMappingServiceProviderinterface. The implementation is pluggable and is configured incore-site.xml.By default Hadoop uses
ShellBasedUnixGroupsMapping, which is an implementation ofGroupMappingServiceProvider. It fetches the group membership for a username by executing a UNIX shell command. In secure clusters, since the usernames are actually Kerberos principals,ShellBasedUnixGroupsMappingwill work only if the Kerberos principals map to valid UNIX usernames. Hadoop provides a feature that lets administrators specify mapping rules to map a Kerberos principal to a local UNIX username .Adding information to various service configuration files.
There are several optional entries in service configuration files that must be added to enable security on HDP.
