Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Creating Mappings Between Principals and UNIX Usernames

HDP uses a rule-based system to create mappings between service principals and their related UNIX usernames. The rules are specified in the core-site.xml configuration file as the value to the optional key hadoop.security.auth_to_local.

The default rule is simply named DEFAULT. It translates all principals in your default domain to their first component. For example, myusername@APACHE.ORG and myusername/admin@APACHE.ORG both become myusername, assuming your default domain is APACHE.ORG.

While mapping the Kerberos principals, if the Kerberos principal names are in the UPPERCASE or CaMeLcase, the names will not be recognized on the Linux machine (as Linux users are always in lower case). You must add the extra switch "/L" in the rule definition to force the conversion to lower case.

Creating Rules

To accommodate more complex translations, you can create a hierarchical set of rules to add to the default. Each rule is divided into three parts: base, filter, and substitution.

  • The Base

    The base begins with the number of components in the principal name (excluding the realm), followed by a colon, and the pattern for building the username from the sections of the principal name. In the pattern section $0 translates to the realm, $1 translates to the first component, and $2 to the second component.

    For example:

    [1:$1@$0] translates myusername@APACHE.ORG to myusername@APACHE.ORG 
    [2:$1] translates myusername/admin@APACHE.ORG to myusername 
    [2:$1%$2] translates myusername/admin@APACHE.ORG to “myusername%admin
  • The Filter

    The filter consists of a regular expression (regex) in a parentheses. It must match the generated string for the rule to apply.

    For example:

    (.*%admin) matches any string that ends in %admin 
    (.*@SOME.DOMAIN) matches any string that ends in @SOME.DOMAIN
  • The Substitution

    The substitution is a sed rule that translates a regex into a fixed string. For example:

    s/@ACME\.COM// removes the first instance of @ACME.DOMAIN
    s/@[A-Z]*\.COM// remove the first instance of @ followed by a name followed by COM. 
    s/X/Y/g replace all of X's in the name with Y
Examples
  • If your default realm was APACHE.ORG, but you also wanted to take all principals from ACME.COM that had a single component joe@ACME.COM, the following rule would do this:

    RULE:[1:$1@$0](.@ACME.COM)s/@.//
    DEFAULT
  • To translate names with a second component, you could use these rules:

    RULE:[1:$1@$0](.@ACME.COM)s/@.//
    RULE:[2:$1@$0](.@ACME.COM)s/@.// DEFAULT
  • To treat all principals from APACHE.ORG with the extension /admin as admin, your rules would look like this:

    RULE[2:$1%$2@$0](.%admin@APACHE.ORG)s/./admin/
    DEFAULT
  • To force username conversion from CaMeLcase or UPPERCASE to lowercase, you could model the following auth_to_local rule examples which have the lowercase switch added:

    RULE:[1:$1]/L
    RULE:[2:$1]/L
    RULE:[2:$1;$2](^.*;admin$)s/;admin$///L
    RULE:[2:$1;$2](^.*;guest$)s/;guest$//g/L

    And based on these rules, here are the expected output for the following inputs:

    "JOE@FOO.COM" to "joe"
    "Joe/root@FOO.COM" to "joe"
    "Joe/admin@FOO.COM" to "joe"
    "Joe/guestguest@FOO.COM" to "joe"