After LDAP authentication is enabled for a service, you must provide your LDAP username and password when you access the service. This improves the security of the service. You can enable LDAP authentication for a service in the EMR console by performing simple operations. This frees you from the complex configuration of LDAP authentication.
Prerequisites
A DataLake or custom cluster is created. Hive and OpenLDAP are selected when you create the DataLake or custom cluster. For more information, see Create a cluster.
Enable LDAP authentication with one click
An EMR user is added. For more information, see Add a user.
Go to the Services tab.
Log on to the EMR console.
In the left-side navigation pane, click EMR on ECS.
In the top navigation bar, select the region in which your cluster resides and select a resource group based on your business requirements.
On the EMR on ECS page, find the desired cluster and click Services in the Actions column.
Enable LDAP authentication.
On the Services tab, click Status in the Hive section.
Turn on enableLDAP.
Clusters of EMR V5.11.1 or a later minor version and clusters of EMR V3.45.1 or a later minor version
In the Service Overview section, turn on enableLDAP.
In the Confirm message, click OK.
Clusters of EMR V5.11.0 or an earlier minor version and clusters of EMR V3.45.0 or an earlier minor version
In the Components section, find HiveServer, click the
> enableLDAP. In the dialog box that appears, enter an execution reason in the Execution Reason field and click OK.
In the Confirm dialog box, click OK.
Restart HiveServer.
In the Components section of the Status tab, find HiveServer and click Restart in the Actions column.
In the dialog box that appears, enter an execution reason in the Execution Reason field and click OK.
In the Confirm dialog box, click OK.
Connect to HiveServer.
After LDAP authentication is enabled, you must provide LDAP authentication credentials when you connect to HiveServer.
Log on to your cluster in SSH mode. For more information, see Log on to a cluster.
Connect to HiveServer.
If you use the Beeline client, run the following command:
beeline -u jdbc:hive2://master-1-1:10000 -n <user> -p <password>If you use Java Database Connectivity (JDBC), run the following command:
jdbc:hive2://master-1-1:10000/default;user=<user>;password=<password>
NoteSet <user> to the username for LDAP, and <password> to the password that corresponds to the username for LDAP. The username and password are configured in Step 1.
Manually enable LDAP authentication
You can use the enableLDAP switch or button in the EMR console to enable LDAP authentication with one click. However, if you use EMR of an earlier version or a self-managed LDAP server, you must manually enable LDAP authentication with HiveServer2.
On the Configure tab of the Hive section, click the hiveserver2-site.xml tab. Add the configuration items that are described in the following table. For more information, see Manage configuration items.
Configuration item | Example | Description |
hive.server2.authentication | LDAP | The authentication method of HiveServer 2. |
hive.server2.authentication.ldap.url | ldap://{ldap_hostname}:{port} Example: ldap://master-1-1:10389 | The URL that is used to connect to the LDAP service. Configure the URL based on your business requirements.
|
hive.server2.authentication.ldap.baseDN | ou=people,o=emr | The base distinguished name (DN) of a user in the LDAP service. If you want to connect to the LDAP service of an EMR cluster, set the value to |