2.2. Creating Mappings Between Principals and UNIX Usernames

HDP uses a rule-based system to create mappings between service principals and their related UNIX usernames. The rules are specified in the core-site.xml configuration file as the value to the optional key hadoop.security.auth_to_local.

The default rule is simply named DEFAULT. It translates all principals in your default domain to their first component. For example, myusername@APACHE.ORG and myusername/admin@APACHE.ORG both become myusername, assuming your default domain is APACHE.ORG.

Creating Rules

To accommodate more complex translations, you can create a hierarchical set of rules to add to the default. Each rule is divided into three parts: base, filter, and substitution.

  • The Base

    The base begins with the number of components in the principal name (excluding the realm), followed by a colon, and the pattern for building the username from the sections of the principal name. In the pattern section $0 translates to the realm, $1 translates to the first component and $2 to the second component.

    For example:

    [1:$1@$0] translates myusername@APACHE.ORG to myusername@APACHE.ORG 
    [2:$1] translates myusername/admin@APACHE.ORG to myusername 
    [2:$1%$2] translates myusername/admin@APACHE.ORG to “myusername%admin
  • The Filter

    The filter consists of a regular expression (regex) in a parentheses. It must match the generated string for the rule to apply.

    For example:

    (.*%admin) matches any string that ends in %admin 
    (.*@SOME.DOMAIN) matches any string that ends in @SOME.DOMAIN
  • The Substitution

    The substitution is a sed rule that translates a regex into a fixed string. For example:

    s/@ACME\.COM// removes the first instance of @SOME.DOMAIN
    s/@[A-Z]*\.COM// removes the first instance of @ followed by a name followed by COM. 
    s/X/Y/g replaces all of X's in the name with Y

loading table of contents...