Creating Mappings Between Principals and UNIX Usernames
HDP uses a rule-based system to create mappings between service principals and
their related UNIX usernames. The rules are specified in the
core-site.xml configuration file as the value to the optional
key hadoop.security.auth_to_local.
The default rule is simply named DEFAULT. It translates all principals in your default domain to their first component. For example, myusername@APACHE.ORG and myusername/admin@APACHE.ORG both become myusername, assuming your default domain is APACHE.ORG.
Creating Rules
To accommodate more complex translations, you can create a hierarchical set of rules to add to the default. Each rule is divided into three parts: base, filter, and substitution.
The Base
The base begins with the number of components in the principal name (excluding the realm), followed by a colon, and the pattern for building the username from the sections of the principal name. In the pattern section $0 translates to the realm, $1 translates to the first component, and $2 to the second component.
For example:
[1:$1@$0] translates myusername@APACHE.ORG to myusername@APACHE.ORG [2:$1] translates myusername/admin@APACHE.ORG to myusername [2:$1%$2] translates myusername/admin@APACHE.ORG to “myusername%admin
The Filter
The filter consists of a regular expression (regex) in a parentheses. It must match the generated string for the rule to apply.
For example:
(.*%admin) matches any string that ends in %admin (.*@SOME.DOMAIN) matches any string that ends in @SOME.DOMAIN
The Substitution
The substitution is a sed rule that translates a regex into a fixed string. For example:
s/@ACME\.COM// removes the first instance of @ACME.DOMAIN s/@[A-Z]*\.COM// remove the first instance of @ followed by a name followed by COM. s/X/Y/g replace all of X's in the name with Y