<property> <name>hadoop.security.auth_to_local</name> <value> RULE:[<principal translation>](<acceptance filter>)<short name substitution> RULE:[<principal translation>](<acceptance filter>)<short name substitution> DEFAULT </value> </property>
RULE:[<principal translation>](<acceptance filter>)<short name substitution>
[<number of components in principal name>:<initial specification of short name>]where: <number of components in principal name> – This first part specifies the number of components in the principal name (not including the realm) and must be 1or2. A value of 1specifies principal names that have a single component (for example, hdfs), and 2specifies principal names that have two components (for example, hdfs/fully.qualified.domain.name). A principal name that has only one component will only match single-component rules, and a principal name that has two components will only match two-component rules. <initial specification of short name> – This second part specifies a pattern for translating the principal component(s) and the realm into a short name. The variable $0 translates the realm, $1 translates the first component, and $2 translates the second component. Here are some examples of principal translation sections. These examples use atm@YOUR-REALM.COM and atm/fully.qualified.domain.name@YOUR-REALM.COM as principal name inputs:
This Principal Translation | Translates atm@YOUR-REALM.COM into this short name | Translates atm/fully.qualified.domain.name@YOUR-REALM.COM into this short name |
---|---|---|
[1:$1@$0] | atm@YOUR-REALM.COM | Rule does not match1 |
[1:$1] | atm | Rule does not match1 |
[1:$1.foo] | atm.foo | Rule does not match1 |
[2:$1/$2@$0] | Rule does not match2 | atm/fully.qualified.domain.name@YOUR-REALM.COM |
[2:$1/$2] | Rule does not match2 | atm/fully.qualified.domain.name |
[2:$1@$0] | Rule does not match2 | atm@YOUR-REALM.COM |
[2:$1] | Rule does not match2 | atm |
<property>
<name>hadoop.security.auth_to_local</name>
<value>
RULE:[1:$1](App\..*)s/App\.(.*)/$1/g
RULE:[2:$1](App\..*)s/App\.(.*)/$1/g
DEFAULT
</value>
</property>
The first $1 in each rule is a reference to the first component of the full principal name, and the second $1 is a regular expression back-reference to text that is matched by (.*).
In the following example, suppose your company's naming scheme for user accounts in Active Directory is FirstnameLastname (for example, JohnDoe), but user
home directories in HDFS are /user/firstnamelastname. The following rule set converts user accounts in the CORP.EXAMPLE.COM domain to
lowercase.
<property> <name>hadoop.security.auth_to_local</name> <value> RULE:[2:$1@$0](HTTP@\QCORP.EXAMPLE.COM\E$)s/@\QCORP.EXAMPLE.COM\E$// RULE:[1:$1@$0](.*@\QCORP.EXAMPLE.COM\E$)s/@\QCORP.EXAMPLE.COM\E$///L RULE:[2:$1@$0](.*@\QCORP.EXAMPLE.COM\E$)s/@\QCORP.EXAMPLE.COM\E$///L DEFAULT </value> </property>In this example, the JohnDoe@CORP.EXAMPLE.COM principal becomes the johndoe HDFS user.
$ hadoop org.apache.hadoop.security.HadoopKerberosName name1 name2 name3Categories: Configuring | Kerberos | Security | All Categories Using kadmin to Create Kerberos Keytab Files Enabling Debugging Output for the Sun Kerberos Classes ●About Cloudera ●Resources ●Contact ●Careers ●Press ●Documentation United States: +1 888 789 1488 Outside the US: +1 650 362 0488 If this documentation includes code, including but not limited to, code examples, Cloudera makes this available to you under the terms of the Apache License, Version 2.0, including any required notices. A copy of the Apache License Version 2.0 can be found here.