- Simple Rules - To make a simple map between principal names and UNIX users, you create a straightforward substitution rule. For example, to map the ResourceManager(rm) and NodeManager(nm) principals in the EXAMPLE.COM realm to the UNIX - $YARN_USERuser and the NameNode(nn) and DataNode(dn) principals to the UNIX- $HDFS_USERuser, you would make this the value for the- hadoop.security.auth_to_localkey in- core-site.xml.- RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/$YARN_USER / RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/ $HDFS_USER/ DEFAULT 
- Complex Rules - To accomodate more complex translations, you create a hierarchical set of rules to add to the default. Each rule is divided into three parts: base, filter, and substitution. - The Base: - The base begins with the number of components in the principal name (excluding the realm), followed by a colon, and the pattern for building the username from the sections of the principal name. In the pattern section - $0translates to the realm,- $1translates to the first component and- $2to the second component.- For example: - [1:$1@$0]translates- myusername@APACHE.ORGto- myusername@APACHE.ORG- [2:$1]translates- myusername/admin@APACHE.ORGto- myusername- [2:$1%$2]translates- myusername/admin@APACHE.ORGto- myusername%admin
- The Filter: - The filter consists of a regex in a parentheses that must match the generated string for the rule to apply. - For example: - (.*%admin)matches any string that ends in- %admin- (.*@SOME.DOMAIN)matches any string that ends in- @SOME.DOMAIN
- The Substitution: - The substitution is a sed rule that translates a regex into a fixed string. - For example: - s/@ACME\.COM//removes the first instance of- @SOME.DOMAIN.- s/@[A-Z]*\.COM//removes the first instance of- @followed by a name followed by- COM.- s/X/Y/greplaces all of the- Xin the name with- Y
 


