Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Mapping Authenticated User to Cluster

The principal.mapping parameter of an identity-assertion provider determines the user name that the gateway asserts (uses as the authenticated user) for grouping, authorization, and to run the request on the cluster.

[Note]Note

If a user does not match a principal mapping definition, the authenticated user becomes the effective user.

To add user mapping rule to an identity-assertion provider:

  1. Open the cluster topology descriptor file, $cluster-name.xml, in a text editor.

  2. Add a Pseudo identity-assertion provider to topology/gateway with the principal.mapping parameter as follows:

    <provider>
        <role>identity-assertion</role>
        <name>Pseudo</name>
        <enabled>true</enabled>
        <param>
            <name>principal.mapping</name>
            <value>$user_ids=$cluster_user;$user_ids=$cluster_user1;...</value>
        </param>
    </provider>

    where the value contains a semi-colon-separated list of external to internal user mappings, and the following variables match the names in your environment:

    • $user_ids

      is a comma-separated list of external users or the wildcard (*) indicates all users.

    • $cluster_user

      is the Hadoop cluster user name the gateway asserts, that is the authenticated user name.

  3. Save the file.

    The gateway creates a new WAR file with modified timestamp in $gateway/data/deployments.