Hello Aneela, If your cluster has enabled Kerberos security, then the HADOOP_USER_NAME environment variable has no effect.
It sounds like you want to test a proxy user scenario, in which authentication is performed as user "hdfs" via Kerberos, but then execution of the request (including any group membership resolution and authorization checks) proceeds as user "michael". There is a different environment variable named HADOOP_PROXY_USER that can be set to achieve this. Does that help? --Chris Nauroth From: Aneela Saleem <ane...@platalytics.com<mailto:ane...@platalytics.com>> Date: Thursday, June 23, 2016 at 12:45 PM To: "user@hadoop.apache.org<mailto:user@hadoop.apache.org>" <user@hadoop.apache.org<mailto:user@hadoop.apache.org>> Subject: Kerberos Impersonation in Hadoop Hi all, I'm trying Kerberos Impersonation in Hadoop. But i can't get the clear idea what the impersonation is? Whether it's effective in doing HADOOP_USER_NAME from command line or it's something else. It's confusing. I can't understand it from the documentation. Actually what i'm trying to do is to simulate LDAP users on my system when accessing HDFS. Since i'm using group mapping from LDAP that's working fine when i run 'hdfs groups' command. I just want to authenticate whether the user i pass in HADOOP_USER_NAME from command line when accessing HDFS, is actually impersonating an LDAP user or not? How can i verify it. Let's have a look on following usecase: -I have a service principal i.e., hdfs/platalytics.com@platalyticsrealm -I initiate the authenticate request using this service principal and got TGT for this principal -Now when i run the command with any proxy user whether it exists or not -HADOOP_USER_NAME=michael hdfs dfs -mkdir /temp it allows to create the temp directory on behalf of 'hdfs' ( michael is an LDAP user) But when i initiate an authenticate request through user principal i.e., michael/platalytics.com@platalyticsrealm and run the command hdfs dfs -mkdir /temp it says michael doestn't have enough permissions. How the things are working i can't understand. How can i test LDAP users? I have not configured PAM for ldap authentication, i want to test it without PAM. I have enabled impersonation with following configuration parameters: <property> <name>hadoop.proxyuser.hdfs.groups</name> <value>Admin,hdfs</value></property><property> <name>hadoop.proxyuser.hdfs.hosts</name> <value>platalytics.com<http://platalytics.com></value></property> Thanks
