Downcase User Accounts from LDAP to Lowercase Users for Secure Impersonation

Summary

Since Hadoop is common run in a Linux environment, the user accounts are case sensitive and traditionally lower case. In some AD or LDAP integrated Datameer environments, user login credentials may contain mixed case characters.

When utilizing Secure Impersonation with Datameer, user accounts that log into Datameer are used directly to execute Hadoop commands. This article describes how to translate mixed case user names to lower case to properly identify the user and group privileges in Hadoop.

Resolution

When using Secure Impersonation, the user that executes commands in Hadoop is generated by a rule which translates the Kerberos Principal into a local user account. 

The rules are defined in the "hadoop.security.auth_to_local" property. To convert principal names to lowercase, append /L to the rule.

The rule should be placed within the Custom Properties text area on the Hadoop Cluster page within the Admin Tab.

Original

hadoop.security.auth_to_local=RULE:[1:$1](.*) RULE:[2:$1](.*) DEFAULT

Lowercase

hadoop.security.auth_to_local=RULE:[1:$1](.*)/L RULE:[2:$1](.*)/L DEFAULT

Further Information

You can find some reading from Hortonworks, as well in the book Hadoop Security, 1st Ed. by Ben Spivey and Joey Echeverria, Ch. 5: Identiy and Authentication - Mapping Kerberos Principals to Usernames, p. 68 ff..