Mapping Authenticated Users to Other Users

The principal.mapping parameter of an identity-assertion provider determines the user name that the gateway asserts (uses as the authenticated user) for grouping, authorization, and to run the request on the cluster.

	Note
	If a user does not match a principal mapping definition, the authenticated user becomes the effective user.

To add user mapping rule to an identity-assertion provider:

Open the cluster topology descriptor file, $cluster-name.xml, in a text editor.
Add a Default identity-assertion provider to topology/gateway with the principal.mapping parameter as follows:
```
<provider>
    <role>identity-assertion</role>
    <name>Default</name>
    <enabled>true</enabled>
    <param>
        <name>principal.mapping</name>
        <value>$user_ids=$cluster_user;$user_ids=$cluster_user1;...</value>
    </param>
</provider>
```
where the value contains a semi-colon-separated list of external to internal user mappings, and the following variables match the names in your environment:
- $user_ids
  is a comma-separated list of external users or the wildcard (*) indicates all users.
- $cluster_user
  is the Hadoop cluster user name the gateway asserts, that is the authenticated user name.
Save the file.
The gateway creates a new WAR file with modified timestamp in $gateway/data/deployments.

​Mapping Authenticated Users to Other Users

Mapping Authenticated Users to Other Users