Mapping Kerberos Principals to Short Names

Kerberos user principals typically have the format username@REALM, whereas Hadoop usernames are typically just username. To translate Kerberos principals to Hadoop usernames, Hadoop uses rules defined in the hadoop.security.auth_to_local property. The default setting strips the @REALM portion from the Kerberos principal, where REALM is the Kerberos realm defined by the default_realm setting in the NameNode krb5.conf file.

If you configure your cluster's Kerberos realm to trust other realms, such as a trust between your cluster's realm and a central Active Directory or MIT Kerberos realm, you must identify the trusted realms in Cloudera Manager so it can automatically generate the appropriate rules. If you do not do so, user accounts in those realms cannot access the cluster.

To specify trusted realms using Cloudera Manager:

  1. Go to the HDFS Service > Configuration tab.
  2. Select Scope > HDFS (Service-Wide).
  3. Select Category > Security.
  4. In the Search field, type Kerberos Realms to find the Trusted Kerberos Realms and Additional Rules to Map Kerberos Principals to Short Names settings.
  5. Add realms that are trusted by the cluster's Kerberos realm. Realm names, including Active Directory realms, must be specified in uppercase letters (for example, CORP.EXAMPLE.COM). To add multiple realms, use the button.
  6. Click Save Changes.

The auto-generated mapping rules strip the Kerberos realm (for example, @CORP.EXAMPLE.COM) for each realm specified in the Trusted Kerberos Realms setting. To customize the mapping rules, specify additional rules in the Additional Rules to Map Kerberos Principals to Short Names setting, one rule per line. Only enter rules in this field; Cloudera Manager automatically surrounds the rules with the appropriate XML tags for the generated core-site.xml file. For more information on creating custom rules, including how to translate mixed-case Kerberos principals to lowercase Hadoop usernames, see Mapping Rule Syntax.

If you specify custom mapping rules for a Kerberos realm using the Additional Rules to Map Kerberos Principals to Short Names setting, ensure that the same realm is not specified in the Trusted Kerberos Realms setting. If it is, the auto-generated rule (which only strips the realm from the principal and does no additional transformations) takes precedent, and the custom rule is ignored.

For these changes to take effect, you must restart the cluster and redeploy the client configuration. On the Cloudera Manager Home > Status tab, click the cluster-wide button and select Deploy Client Configuration.