Is it possible to either create a pluggable script for handling auth_to_local mappings or load those mappings from an external file/data source rather than manually defining them in hadoop.security.auth_to_local through Ambari? I have a situation where the mappings are really complex and change often and it isn't acceptable to restart every time a change takes place.
Hmmm... I don't think this is possible. You should not have to keep changing auth_to_local mapping so regularly. It means you have a lot of local users on the box. Why don't you setup the cluster with SSSD, or with Centrify for AD, with the LDAP proxy, to not have any local users on the cluster except for the service users? If you have an existing cluster keep the service users like, hdfs, hbase, ambari-qa local and do your auth_to_local mappings for those, but all actual users are materialized using SSSD and do not map to local users. You can then clean up you /etc/psswd file on each node.