3. Map Effective User to Cluster User

The principal.mapping parameter of an identity-assertion provider determines the user name that the gateway asserts (uses as the effective user) for grouping, authorization, and to run the request on the cluster.

	Note
	If a user does not match a principal mapping definition, the authenticated user becomes the effective user.

To add user mapping rule to an identity-assertion provider:

Open the cluster topology descriptor file, $cluster-name.xml, in a text editor.
Add a Pseudo identity-assertion provider to topology/gateway with the principal.mapping parameter as follows:
```
<provider>
   <role>identity-assertion</role>
   <name>Pseudo</name>
   <enabled>true</enabled>
    <param>
        <name>principal.mapping</name>
        <value>$user_ids=$cluster_user;$user_ids=$cluster_user1;...</value>
    </param>
</provider>
```
where the value contains a semi-colon separated list of external to internal user mappings and the following variables match the names in your environment:
- $user_ids is a comma separated list of external users or the wildcard (*) indicates all users.
- $cluster_user the Hadoop cluster user name the gateway asserts, that is the effective user name.
Save the file.
The gateway creates a new WAR file with modified timestamp in /var/lib/knox/data/deployments .

Legal notices