Support Questions

ddv36a78 · ‎01-30-2018

Hi,

Why the need to map Kerberos principals to usernames (and groups too) ?

AFAIU, it's all about getting (from a principal) a username and a group to match (next) with HDFS authorizations and to determine if a Kerberos principal is authorized, or not, to access a HDFS resource.

So my question is simple: is there another need for such Kerberos/username and Kerberos/group mapping?

Thanks.

Regards,

Dominique

arald · ‎01-31-2018

Almost all the tools that are using authorization are based on usernames to authorize. I.e. in Ranger you configure username to allow access. And most of the tools could use an authorization different to Kerberos, so all of them need a mapping from the Kerberos principal to a username.

If you have configured SSH to accept Kerberos authentication, the system still needs to know which user has been authenticated i.e. to determine the home dir and to start the user specific environment

View solution in original post

arald · ‎01-31-2018

Almost all the tools that are using authorization are based on usernames to authorize. I.e. in Ranger you configure username to allow access. And most of the tools could use an authorization different to Kerberos, so all of them need a mapping from the Kerberos principal to a username.

If you have configured SSH to accept Kerberos authentication, the system still needs to know which user has been authenticated i.e. to determine the home dir and to start the user specific environment

Cloudera Community

Support Questions

understanding why mapping Kerberos principals to usernames (and groups)