Also available as:
loading table of contents...

Configuring HDP for Kerberos

Configuring HDP for Kerberos has two parts:

  • Creating a mapping between service principals and UNIX usernames.

    Hadoop uses group memberships of users at various places, such as to determine group ownership for files or for access control.

    A user is mapped to the groups it belongs to using an implementation of the GroupMappingServiceProvider interface. The implementation is pluggable and is configured in core-site.xml.

    By default Hadoop uses ShellBasedUnixGroupsMapping, which is an implementation of GroupMappingServiceProvider. It fetches the group membership for a username by executing a UNIX shell command. In secure clusters, since the usernames are actually Kerberos principals, ShellBasedUnixGroupsMapping will work only if the Kerberos principals map to valid UNIX usernames. Hadoop provides a feature that lets administrators specify mapping rules to map a Kerberos principal to a local UNIX username.

  • Adding information to three main service configuration files.

    There are several optional entries in the three main service configuration files that must be added to enable security on HDP.

This section provides information on configuring HDP for Kerberos.


You must adhere to the existing upper and lower case naming conventions in the configuration file templates.