Created on 02-04-2016 04:52 PM
Each rule in the auth-to-local rules as the following formats:
RULE:[n:string](regexp)s/pattern/replacement/ RULE:[n:string](regexp)s/pattern/replacement/g RULE:[n:string](regexp)s/pattern/replacement//L RULE:[n:string](regexp)s/pattern/replacement/g/L
Indicates a matching rule where n declares the number of expected components in the principal. Components are separated by a /, where a user account has one component (ambari-qa) and a service account has two components (nn/fqdn). The string value declares how to reformat the value to be used in the rest of the expression. The placeholders are as follows:
$0 - realm
$1 - 1st component
$2 - 2nd component
Typically we ignore the 2nd component since it is the service’s hostname and thus the format is generally set to $1@$0 (but can be any pattern) as in:
Matches on ambari-qa@EXAMPLE.COM
Translates to ambari-qa@EXAMPLE.COM
Matches on nn/c6501.ambari.apache.org@EXAMPLE.COM
Translates to nn@EXAMPLE.COM
Indicates a matching rule on the value generated by the [n:string] clause. If this regular expression (regexp) matches, then the replacement expression is invoked.
Does not match on
Does not match on
The replacement expression to use to generate a value that is to be used as the local user account. This expression is similar to (if not the same as) a sed replacement expression and is executed over the value generated by [n:string]. The pattern part of this expression is a regular expression used to find the portion of the string to replace. The replacement part of this expression is the value to use for replacing the matched section. If g is specified after the last /, the replacements will occur for every match in the value, else only the first match is processed.
Removes all characters in the source string including and after the @.
Replaces all characters in the source string including and after the @ with "user"
Replaces the first substring of "abc" the source string with "123"
Replaces all substrings of "abc" the source string with "123"
The pattern part of the expression may include capturing groups that can be reused in the replacement part of the expression. Capturing groups are declared parentheses and the data capture can be used by referencing it by number (in order of placement in the pattern). The placeholder for captured data is specified using a dollar sign and the reference number. For example $1.
Captures all sequences of numbers and appends "ID." to it
Captures all sequences of numbers and then all sequences of letters and places the letters before the numbers
By default, translations based on rules are done maintaining the case of the input principal. For example, given the rule
However this may not be desired given how different operating system handle usernames, where as some are case-sensitive and some are case-insensitive. For example, Linux is case-sensitive and Windows is case-insensitive.
To help with this issue, it is possible to force the translated result to be all lower case. This is done by adding a "/L" to the end of the rule. However, it must be noted that this does not effect how pattern matches on input and therefore that will still be case-sensitive.
RULE:[1:$1@$0](ambari-qa-.*@EXAMPLE.COM)s/.*/AMBARI-QA//L RULE:[1:$1@$0](AMBARI-QA-.*@EXAMPLE.COM)s/.*/AMBARI-QA-UPPER//L RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*///L
When processing auth-to-local rules, each rule in the ruleset is processed in order. When a match is made, the processing routine effectively exits and returns the translation that was generated.
For example, if the rule set was:
However, if the ruleset was:
Since auth-to-local rulesets can be rather difficult to read and determine correctness, a handy tool can be used to test it out. However this tool reads the ruleset from the hadoop.security.auth_to_local property in the core-site.xml file (typically found at /etc/hadoop/conf/core-site.xml) and may not be able to import rules from a different source.
To use the tool, one of two commands can be executed on the command line:
Newer versions of hadoop should use:
Older versions of hadoop should use:
hadoop org.apache.hadoop.security.HadoopKerberosName joe_user@EXAMPLE.COM Name: joe_user@EXAMPLE.COM to joe_user
hadoop org.apache.hadoop.security.HadoopKerberosName ambari-qa-c1@EXAMPLE.COM Name: ambari-qa-c1@EXAMPLE.COM to ambari-qa