DocsHortonworks Data Platform

 

 2.1. Create Mappings Between Principals and UNIX Usernames

HDP uses a rule-based system to create mappings between service principals and their related UNIX usernames. The rules are specified in the core-site.xml configuration file as the value to the optional key hadoop.security.auth_to_local.

The default rule is DEFAULT. It translates all principals in your default domain to their first component. For example, myusername@APACHE.ORG and myusername/admin@APACHE.ORG both become myusername, assuming your default domain is APACHE.ORG.

Use the following instructions to configure the mappings between principals and UNIX usernames:

  1. Create Rules.

    • Simple Rules

      To make a simple map between principal names and UNIX users, you create a straightforward substitution rule.

      For example, to map the JobTracker (jt) and TaskTracker (tt) principals in the EXAMPLE.COM realm to the UNIX mapred user and the NameNode (nn) and DataNode (dn) principals to the UNIX hdfs user, you would make this the value for the hadoop.security.auth_to_local key in core-site.xml: 

      RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/
RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/
DEFAULT

    • Complex Rules

      To accomodate more advanced translations, you can create a hierarchical set of rules to add to the default. Each rule is divided into three parts: base, filter, and substitution.

      • The Base:

        The base begins with the number of components in the principal name (excluding the realm), followed by a colon, and the pattern for building the username from the sections of the principal name. In the pattern section $0 translates to the realm, $1 translates to the first component and $2 to the second component.

        For example:

        [1:$1@$0] translates myusername@APACHE.ORG to myusername@APACHE.ORG

        [2:$1] translates myusername/admin@APACHE.ORG to myusername

        [2:$1%$2] translates myusername/admin@APACHE.ORG to “myusername%admin

      • The Filter:

        The filter consists of a regex in a parentheses that must match the generated string for the rule to apply.

        For example:

        (.*%admin)matches any string that ends in %admin

        (.*@SOME.DOMAIN) matches any string that ends in @SOME.DOMAIN

      • The Substitution:

        The substitution is a sed rule that translates a regex into a fixed string.

        For example:

        s/@ACME\.COM// removes the first instance of @SOME.DOMAIN.

        s/@[A-Z]*\.COM// removes the first instance of @ followed by a name followed by COM.

        s/X/Y/g replaces all of the X in the name with Y

  2. Examples.

    • If your default realm was APACHE.ORG, but you also wanted all principals from ACME.COM that had a single component joe@ACME.COM, you can create this rule:

      RULE:[1:$1@$0](.*@ACME\.COM)s/@.*//
DEFAULT

    • To translate names with a second component, you cans use these rules:

      RULE:[1:$1@$0](.*@ACME\.COM)s/@.*//
RULE:[2:$1@$0](.*@ACME\.COM)s/@.*//
DEFAULT

    • To treat all principals from APACHE.ORG with the extension /admin as admin, you can create these rules:

       RULE[2:$1%$2@$0](.*%admin@APACHE\.ORG)s/.*/admin/
DEFAULT

Legal notices
loading table of contents...