DocsHortonworks Data Platform

 

 2.2. Creating Mappings Between Principals and UNIX Usernames

HDP uses a rule-based system to create mappings between service principals and their related UNIX usernames. The rules are specified in the core-site.xml configuration file as the value to the optional key hadoop.security.auth_to_local.

The default rule is simply named DEFAULT. It translates all principals in your default domain to their first component. For example, myusername@APACHE.ORG and myusername/admin@APACHE.ORG both become myusername, assuming your default domain is APACHE.ORG.

 2.2.1. Creating Rules

To accommodate more complex translations, you can create a hierarchical set of rules to add to the default. Each rule is divided into three parts: base, filter, and substitution.

 2.2.1.1. The Base

The base begins with the number of components in the principal name (excluding the realm), followed by a colon, and the pattern for building the username from the sections of the principal name. In the pattern section $0 translates to the realm, $1 translates to the first component and $2 to the second component.

For example:

[1:$1@$0] translates myusername@APACHE.ORG to myusername@APACHE.ORG

[2:$1] translates myusername/admin@APACHE.ORG to myusername

[2:$1%$2] translates myusername/admin@APACHE.ORG to “myusername%admin

 2.2.1.2. The Filter

The filter consists of a regex in a parentheses that must match the generated string for the rule to apply.

For example:

(.*%admin)matches any string that ends in %admin

(.*@SOME.DOMAIN) matches any string that ends in @SOME.DOMAIN

 2.2.1.3. The Substitution

The substitution is a sed rule that translates a regex into a fixed string.

For example:

s/@ACME\.COM// removes the first instance of @SOME.DOMAIN.

s/@[A-Z]*\.COM// removes the first instance of @ followed by a name followed by COM.

s/X/Y/g replaces all of the X in the name with Y

 2.2.2. Examples

  • If your default realm was APACHE.ORG, but you also wanted to take all principals from ACME.COM that had a single component joe@ACME.COM, you would create this rule:

    RULE:[1:$1@$0](.@ACME.COM)s/@.//  
DEFAULT

  • To also translate names with a second component, you would use these rules:

    RULE:[1:$1@$0](.@ACME.COM)s/@.// 
RULE:[2:$1@$0](.@ACME.COM)s/@.// 
DEFAULT

  • To treat all principals from APACHE.ORG with the extension /admin as admin, your rules would look like this:

    RULE[2:$1%$2@$0](.%admin@APACHE.ORG)s/./admin/ 
DEFAULT
Legal notices
loading table of contents...