1.2.2.1. Creating Rules

Simple Rules
To make a simple map between principal names and UNIX users, you create a straightforward substitution rule. For example, to map the ResourceManager(rm) and NodeManager(nm) principals in the EXAMPLE.COM realm to the UNIX $YARN_USER user and the NameNode(nn) and DataNode(dn) principals to the UNIX $HDFS_USER user, you would make this the value for the hadoop.security.auth_to_local key in core-site.xml.
```
RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/$YARN_USER /
RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/ $HDFS_USER/
DEFAULT                    
```
Complex Rules
To accomodate more complex translations, you create a hierarchical set of rules to add to the default. Each rule is divided into three parts: base, filter, and substitution.
- The Base:
  The base begins with the number of components in the principal name (excluding the realm), followed by a colon, and the pattern for building the username from the sections of the principal name. In the pattern section $0 translates to the realm, $1 translates to the first component and $2 to the second component.
  For example:
  [1:$1@$0] translates myusername@APACHE.ORG to myusername@APACHE.ORG
  [2:$1] translates myusername/admin@APACHE.ORG to myusername
  [2:$1%$2] translates myusername/admin@APACHE.ORG to myusername%admin
- The Filter:
  The filter consists of a regex in a parentheses that must match the generated string for the rule to apply.
  For example:
  (.*%admin)matches any string that ends in %admin
  (.*@SOME.DOMAIN) matches any string that ends in @SOME.DOMAIN
- The Substitution:
  The substitution is a sed rule that translates a regex into a fixed string.
  For example:
  s/@ACME\.COM// removes the first instance of @SOME.DOMAIN.
  s/@[A-Z]*\.COM// removes the first instance of @ followed by a name followed by COM.
  s/X/Y/g replaces all of the X in the name with Y

Legal notices