Hadoop uses users' group memberships at various places for things like determining group ownership for files or for access control. To configure Hadoop for use with Kerberos and Ambari you must create a mapping between service principals and rthese UNIX usernames..
A user is mapped to the groups it belongs to using an implementation
                            of the GroupMappingServiceProvider interface. The
                            implementation is pluggable and is configured in
                                core-site.xml. 
By default Hadoop uses ShellBasedUnixGroupsMapping,
                            which is an implementation of
                                GroupMappingServiceProvider. It fetches the group
                            membership for a username by executing a UNIX shell command. In secure
                            clusters, since the usernames are actually Kerberos principals,
                                ShellBasedUnixGroupsMapping will work only if the
                            Kerberos principals map to valid UNIX usernames. Hadoop provides a
                            feature that lets administrators specify mapping rules to map a Kerberos
                            principal to a local UNIX username .


