Hadoop provides a feature that lets administrators specify mapping rules to map a kerberos principal to a local UNIX user name.This required with Kerberized Hadoop clusters to turn full UPN’s into the shortnames required by the HDFS services.
In Ambari these rules look similar to this and are added to the core-site.xml:
Kerberized Ambari will add a set of default mapping as seen above. While Cloudera handles this a little differently as seen below:
But, if you need to test and validate a rule, the following will allow you to see how a rule modifies a UPN and validate the correct translation are happening.
Run the following:
hadoop org.apache.hadoop.security.HadoopKerberosName <kerberos-UPN>
A couple of examples are listed below:
1.running jobs as the AD user hdpuser3@FOO.COM, how does this user get translated.
[hdpuser3@hdp4 ~]$ hadoop org.apache.hadoop.security.HadoopKerberosName hdpuser3@FOO.COM
Name: hdpuser3@FOO.COM to hdpuser3
2.the zookeeper service on hdp5.foo.com uses horton-zookeeper/hdp5.foo.com@FOO.COM, how is that UPN translated