We are trying to setup a single Hadoop cluster to be used in a multibranch company in a secure manner. We have two AD domains in the company: wien.triviadata.com bratislava.triviadata.com
UPNs are at both of them. We installed HDP and connected HDP to bratislava.triviadata.com AD, with Hadoop SPNs created under bratislava.triviadata.com LDAP subtree. We have set up Cross-realm trust, where bratislava.triviadata.com trusts UPNs from wien.triviadata.com. Linux is configured using SSSD, where SSSD by default translates the UPNs in form michalklempa@BRATISLAVA.TRIVIADATA.COM into email@example.com
Therefore, user firstname.lastname@example.org can login to Linux machines, and this michalklempa is different person than the michalklempa@bratislava...
Thats what we are trying to achieve in Hadoop environment, too. In Hadoop, default behavior is to strip all the components of UPN, only the "michalklempa" remains as the username. After consulting at user@hadoop mailinglist (http://mail-archives.apache.org/mod_mbox/hadoop-user/201801.mbox/%3Ce86b7bfc-670b-7d62-6907-dd6596e220ae%40gmail.com%3E) we changed auth_to_local in Ambari to produce user names in form: email@example.com