Hadoop’s hadoop.security.auth_to_local rules

Hadoop provides a feature that lets administrators specify mapping rules to map a kerberos principal to a local UNIX user name.This required with Kerberized Hadoop clusters to turn full UPN’s into the shortnames required by the HDFS services.


In Ambari these rules look similar to this and are added to the core-site.xml:


Kerberized Ambari will add a set of default mapping as seen above. While Cloudera handles this a little differently as seen below:



But, if you need to test and validate a rule, the following will allow you to see how a rule modifies a UPN and validate the correct translation are happening.

Run the following:

hadoop org.apache.hadoop.security.HadoopKerberosName   <kerberos-UPN>



A couple of examples are listed below:


1.running jobs as the AD user hdpuser3@FOO.COM, how does this user get translated.

[hdpuser3@hdp4 ~]$  hadoop org.apache.hadoop.security.HadoopKerberosName hdpuser3@FOO.COM
Name: hdpuser3@FOO.COM to hdpuser3

2.the zookeeper service on hdp5.foo.com uses horton-zookeeper/hdp5.foo.com@FOO.COM, how is that UPN translated

[hdpuser3@hdp4 ~]$  hadoop org.apache.hadoop.security.HadoopKerberosName horton-zookeeper/hdp5.foo.com@FOO.COM
Name: horton-zookeeper/hdp5.foo.com@FOO.COM to horton-zookeeper

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s