Non-Ambari Cluster Installation Guide
Also available as:
loading table of contents...

Creating Mappings Between Principals and UNIX Usernames

HDP uses a rule-based system to create mappings between service principals and their related UNIX usernames. The rules are specified in the core-site.xml configuration file as the value to the optional key

The default rule is simply named DEFAULT. It translates all principals in your default domain to their first component. For example, myusername@APACHE.ORG and myusername/admin@APACHE.ORG both become myusername, assuming your default domain is APACHE.ORG.

Creating Rules

To accommodate more complex translations, you can create a hierarchical set of rules to add to the default. Each rule is divided into three parts: base, filter, and substitution.

  • The Base

    The base begins with the number of components in the principal name (excluding the realm), followed by a colon, and the pattern for building the username from the sections of the principal name. In the pattern section $0 translates to the realm, $1 translates to the first component, and $2 to the second component.

    For example:

    [1:$1@$0] translates myusername@APACHE.ORG to myusername@APACHE.ORG 
    [2:$1] translates myusername/admin@APACHE.ORG to myusername 
    [2:$1%$2] translates myusername/admin@APACHE.ORG to “myusername%admin
  • The Filter

    The filter consists of a regular expression (regex) in a parentheses. It must match the generated string for the rule to apply.

    For example:

    (.*%admin) matches any string that ends in %admin 
    (.*@SOME.DOMAIN) matches any string that ends in @SOME.DOMAIN
  • The Substitution

    The substitution is a sed rule that translates a regex into a fixed string. For example:

    s/@ACME\.COM// removes the first instance of @ACME.DOMAIN
    s/@[A-Z]*\.COM// remove the first instance of @ followed by a name followed by COM. 
    s/X/Y/g replace all of X's in the name with Y