2.1. Configuration Overview

Configuring HDP for Kerberos has two parts:

  • Creating a mapping between service principals and OS service usernames.

    Hadoop uses group memberships of users at various places, such as to determine group ownership for files or for access control.

    A user is mapped to the groups it belongs to using an implementation of the GroupMappingServiceProvider interface. The implementation is pluggable and is configured in core-site.xml.

    By default Hadoop uses ShellBasedUnixGroupsMapping, which is an implementation of GroupMappingServiceProvider. It fetches the group membership for a username by executing a UNIX shell command. In secure clusters, since the usernames are actually Kerberos principals, ShellBasedUnixGroupsMapping will work only if the Kerberos principals map to valid UNIX usernames. Hadoop provides a feature that lets administrators specify mapping rules to map a Kerberos principal to a local UNIX username .

  • Adding information to various service configuration files.

    There are several optional entries in service configuration files that must be added to enable security on HDP.


loading table of contents...