if your unix login name is different from kerberos principle in Active directory, you might be end up with different behavior.
For example, you have unix account with the name devadm and the kerberos principle for this account configured in Active directory was sv_ou_devadm_test@TANU.COM (since many organization follow their standard)
if you run any mapreduce jobs, hadoop will always use kerberos principle and create all the files and directory in hdfs storage with sv_ou_devadm_test ownership.
And also it will try to set the yarn container logs with principle name and then it will fail with below error.
For example, you have unix account with the name devadm and the kerberos principle for this account configured in Active directory was sv_ou_devadm_test@TANU.COM (since many organization follow their standard)
if you run any mapreduce jobs, hadoop will always use kerberos principle and create all the files and directory in hdfs storage with sv_ou_devadm_test ownership.
And also it will try to set the yarn container logs with principle name and then it will fail with below error.
at java.lang.Thread.run(Thread.
2018-04-05 10:34:01,945 ERROR org.apache.hadoop.yarn.
java.io.IOException: Owner 'devadm' for path /var/log/hadoop-yarn/
at org.apache.hadoop.io.
Update below rule in hadoop.security.auth_to_local
RULE:[1:$1](sv_ou_.*_test)s/sv_ou_(.*)_test/$1/g
RULE:[2:$1](sv_ou_.*_test)s/sv_ou_(.*)_test/$1/g
DEFAULT
For Reference:
https://www.cloudera.com/documentation/enterprise/5-8-x/topics/cdh_sg_kerbprin_to_sn.html
Example Rules
Suppose all of your service principals are either of the form App.service-name/fully.qualified.domain.name@YOUR-REALM.COM or App.service-name@YOUR-REALM.COM, and you want to map these to the short name string service-name. To do this, your rule set would be:
<property>
<name>hadoop.security.auth_to_local</name>
<value>
RULE:[1:$1](App\..*)s/App\.(.*)/$1/g
RULE:[2:$1](App\..*)s/App\.(.*)/$1/g
DEFAULT
</value>
</property>
The first $1 in each rule is a reference to the first component of the full principal name, and the second $1 is a regular expression back-reference to text that is matched by (.*).
In the following example, suppose your company's naming scheme for user accounts in Active Directory is FirstnameLastname (for example, JohnDoe), but user home directories in HDFS are /user/firstnamelastname. The following rule set converts user accounts in the CORP.EXAMPLE.COM domain to lowercase.
<property> <name>hadoop.security.auth_to_local</name> <value>RULE:[1:$1@$0](.*@\QCORP.EXAMPLE.COM\E$)s/@\QCORP.EXAMPLE.COM\E$///L RULE:[2:$1@$0](.*@\QCORP.EXAMPLE.COM\E$)s/@\QCORP.EXAMPLE.COM\E$///L DEFAULT</value> </property>
In this example, the JohnDoe@CORP.EXAMPLE.COM principal becomes the johndoe HDFS user.
Default Rule
You can specify an optional default rule called DEFAULT (see example above). The default rule reduces a principal name down to its first component only. For example, the default rule reduces the principal names atm@YOUR-REALM.COM or atm/fully.qualified.domain.name@YOUR-REALM.COM down to atm, assuming that the default domain is YOUR-REALM.COM.
The default rule applies only if the principal is in the default realm.
If a principal name does not match any of the specified rules, the mapping for that principal name will fail.
Testing Mapping Rules
You can test mapping rules for a long principal name by running:
$ hadoop org.apache.hadoop.security.HadoopKerberosName name1 name2 name3
