Hadoop uses users' group memberships at various places for things like determining group ownership for files or for access control. To configure Hadoop for use with Kerberos and Ambari you must create a mapping between service principals and these UNIX usernames.
A user is mapped to the groups it belongs to using an implementation of
the GroupMappingServiceProviderinterface. The
implementation is pluggable and is configured
in core-site.xml.
By default Hadoop uses ShellBasedUnixGroupsMapping, which
is an implementation of GroupMappingServiceProvider. It
fetches the group membership for a username by executing a UNIX shell command.
In secure clusters, since the usernames are actually Kerberos
principals, ShellBasedUnixGroupsMapping will work only if
the Kerberos principals map to valid UNIX usernames. Hadoop provides a feature
that lets administrators specify mapping rules to map a Kerberos principal to a
local UNIX username .
