Hadoop uses users' group memberships at various places for things like determining group ownership for files or for access control. To configure Hadoop for use with Kerberos and Ambari you must create a mapping between service principals and these UNIX usernames.
A user is mapped to the groups it belongs to using an implementation of
                        the GroupMappingServiceProviderinterface. The
                    implementation is pluggable and is configured
                        in core-site.xml.
By default Hadoop uses ShellBasedUnixGroupsMapping, which
                    is an implementation of GroupMappingServiceProvider. It
                    fetches the group membership for a username by executing a UNIX shell command.
                    In secure clusters, since the usernames are actually Kerberos
                        principals, ShellBasedUnixGroupsMapping will work only if
                    the Kerberos principals map to valid UNIX usernames. Hadoop provides a feature
                    that lets administrators specify mapping rules to map a Kerberos principal to a
                    local UNIX username .


