when I kinit for hdfs in my kerberized cluster securityLab
kinit -kt hdfs.headless.keytab hdfs-securityLab@MYDOMAIN.COM
what is the real user name
is it hdfs or hdfs-securityLab
some services are taking it as hdfs and some not.
As Ranger usersync cannot get the hadoop service principals correctly, they get all jumbled.
I am not sure I understand your comment. hdfs is the Hadoop superuser (think root in linux). So you are saying that you kinit hdfs@/_host@REALM.COM and it becomes hdfs-securityLab? How do you know that happens? Also, can you please check your auth_to_local rules in your core-site.xml?
You are supposed to have hadoop.security.auth_to_local defined in your core-site.xml and that rule translates principals to local users. You can use
$ hadoop org.apache.hadoop.security.HadoopKerberosName hdfs-securityLab@MYDOMAIN.COM
to check does it work as expected. Some links:Fine Tune Hadoop Security Settings