Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

understanding why mapping Kerberos principals to usernames (and groups)

avatar
Explorer

Hi,

Why the need to map Kerberos principals to usernames (and groups too) ?

AFAIU, it's all about getting (from a principal) a username and a group to match (next) with HDFS authorizations and to determine if a Kerberos principal is authorized, or not, to access a HDFS resource.

So my question is simple: is there another need for such Kerberos/username and Kerberos/group mapping?

Thanks.

Regards,

Dominique

1 ACCEPTED SOLUTION

avatar
Super Collaborator

Almost all the tools that are using authorization are based on usernames to authorize. I.e. in Ranger you configure username to allow access. And most of the tools could use an authorization different to Kerberos, so all of them need a mapping from the Kerberos principal to a username.

If you have configured SSH to accept Kerberos authentication, the system still needs to know which user has been authenticated i.e. to determine the home dir and to start the user specific environment

View solution in original post

1 REPLY 1

avatar
Super Collaborator

Almost all the tools that are using authorization are based on usernames to authorize. I.e. in Ranger you configure username to allow access. And most of the tools could use an authorization different to Kerberos, so all of them need a mapping from the Kerberos principal to a username.

If you have configured SSH to accept Kerberos authentication, the system still needs to know which user has been authenticated i.e. to determine the home dir and to start the user specific environment