2.2. Creating Mappings Between Principals and OS Service Usernames

HDP uses a rule-based system to create mappings between service principals and their related OS service usernames. The rules are specified in the core-site.xml configuration file as the value to the optional key hadoop.security.auth_to_local.

The default rule is simply named DEFAULT. It translates all principals in your default domain to their first component. For example, myusername@APACHE.ORG and myusername/admin@APACHE.ORG both become myusername, assuming your default domain is APACHE.ORG. So if the service principal and the OS service username are the same, the default rule suffices. If the two names are not identical, you must create rules to do the mapping.


loading table of contents...