question understanding why mapping Kerberos principals to usernames (and groups) in Archives of Support Questions (Read Only)

understanding why mapping Kerberos principals to usernames (and groups)

ddv36a78 — Fri, 16 Sep 2022 12:48:30 GMT

Hi,

Why the need to map Kerberos principals to usernames (and groups too) ?

AFAIU, it's all about getting (from a principal) a username and a group to match (next) with HDFS authorizations and to determine if a Kerberos principal is authorized, or not, to access a HDFS resource.

So my question is simple: is there another need for such Kerberos/username and Kerberos/group mapping?

Thanks.

Regards,

Dominique

Re: understanding why mapping Kerberos principals to usernames (and groups)

arald — Wed, 31 Jan 2018 20:13:24 GMT

Almost all the tools that are using authorization are based on usernames to authorize. I.e. in Ranger you configure username to allow access. And most of the tools could use an authorization different to Kerberos, so all of them need a mapping from the Kerberos principal to a username.

If you have configured SSH to accept Kerberos authentication, the system still needs to know which user has been authenticated i.e. to determine the home dir and to start the user specific environment