Mapping Authenticated User to Cluster
The principal.mapping
parameter of an identity-assertion
provider determines the user name that the
gateway asserts (uses as the authenticated user) for grouping, authorization, and to run the request on the cluster.
Note | |
---|---|
If a user does not match a principal mapping definition, the authenticated user becomes the effective user. |
To add user mapping rule to an identity-assertion provider:
Open the cluster topology descriptor file,
$cluster-name.xml
, in a text editor.Add a
Pseudo
identity-assertion provider totopology/gateway
with theprincipal.mapping
parameter as follows:<provider> <role>identity-assertion</role> <name>Pseudo</name> <enabled>true</enabled> <param> <name>principal.mapping</name> <value>$user_ids=$cluster_user;$user_ids=$cluster_user1;...</value> </param> </provider>
where the value contains a semi-colon-separated list of external to internal user mappings, and the following variables match the names in your environment:
$user_ids
is a comma-separated list of external users or the wildcard (*) indicates all users.
$cluster_user
is the Hadoop cluster user name the gateway asserts, that is the authenticated user name.
Save the file.
The gateway creates a new WAR file with modified timestamp in
$gateway/data/deployments
.