HDP uses a rule-based system to create mappings between service principals and
their related UNIX usernames. The rules are specified in the
core-site.xml
configuration file as the value to the
optional key hadoop.security.auth_to_local
.
The default rule is simply named DEFAULT
. It translates all
principals in your default domain to their first component. For example,
myusername@APACHE.ORG
and
myusername/admin@APACHE.ORG
both become
myusername
, assuming your default domain is APACHE.ORG.
To accomodate more complex translations, you can create a hierarchical set of rules to add to the default. Each rule is divided into three parts: base, filter, and substitution.
The base begins with the number of components in the principal name (excluding the
realm), followed by a colon, and the pattern for building the username from the sections of
the principal name. In the pattern section $0
translates to the realm,
$1
translates to the first component and $2
to the second
component.
For example:
[1:$1@$0]
translates
myusername@APACHE.ORG
to
myusername@APACHE.ORG
[2:$1]
translates
myusername/admin@APACHE.ORG
to
myusername
[2:$1%$2]
translates
myusername/admin@APACHE.ORG
to
“myusername%admin
The filter consists of a regex in a parentheses that must match the generated string for the rule to apply.
For example:
(.*%admin)
matches any string that ends in %admin
(.*@SOME.DOMAIN)
matches any string that ends in @SOME.DOMAIN
The substitution is a sed rule that translates a regex into a fixed string.
For example:
s/@ACME\.COM//
removes the first instance of @SOME.DOMAIN
.
s/@[A-Z]*\.COM//
removes the first instance of @
followed by a name followed by COM
.
s/X/Y/g
replaces all of the X
in the name with Y
If your default realm was
APACHE.ORG
, but you also wanted to take all principals fromACME.COM
that had a single componentjoe@ACME.COM
, you would create this rule:RULE:[1:$1@$0](.@ACME.COM)s/@.// DEFAULT
To also translate names with a second component, you would use these rules:
RULE:[1:$1@$0](.@ACME.COM)s/@.// RULE:[2:$1@$0](.@ACME.COM)s/@.// DEFAULT
To treat all principals from
APACHE.ORG
with the extension/admin
asadmin
, your rules would look like this:RULE[2:$1%$2@$0](.%admin@APACHE.ORG)s/./admin/ DEFAULT