Configuring Hadoop for Kerberos has three parts:
Creating a mapping between service principals and UNIX usernames.
Hadoop uses users' group memberships at various places for things like determining group ownership for files or for access control.
A user is mapped to the groups it belongs to using an implementation of the
GroupMappingServiceProvider
interface. The implementation is pluggable and is configured incore-site.xml
.By default Hadoop uses
ShellBasedUnixGroupsMapping
, which is an implementation ofGroupMappingServiceProvider
. It fetches the group membership for a username by executing a UNIX shell command. In secure clusters, since the usernames are actually Kerberos principals,ShellBasedUnixGroupsMapping
will work only if the Kerberos principals map to valid UNIX usernames. Hadoop provides a feature that lets administrators specify mapping rules to map a Kerberos principal to a local UNIX username .Adding information to various service configuration files.
There are several optional entries in the main service configuration files that must be added to enable security on Hadoop.
Adding Java Cryptography Extension (JCE) security policy .jars to every host.