Using auth-to-local rules to isolate cluster users
How to use auth-to-local rules to restrict user access to specific clusters.
By default, the Hadoop auth-to-local rules map a principal of the form
<username>/<hostname>@<REALM>
to
<username>
. This means if there are multiple clusters in the same
realm, then principals associated with hosts of one cluster would map to the same user in
all other clusters.
For example, if you have two clusters, cluster1-host-[1..4].example.com
and cluster2-host- [1..4].example.com
, that are part of the same Kerberos
realm, EXAMPLE.COM
, then the cluster2
principal,
hdfs/cluster2-host1.example.com@EXAMPLE.COM
, will map to the
hdfs
user even on cluster1
hosts.
To prevent this, use auth-to-local rules as follows to ensure only principals containing
hostnames of cluster1
are mapped to legitimate users.