All Products
Search
Document Center

E-MapReduce:Use LDAP authentication

更新時間:Aug 11, 2023

After LDAP authentication is enabled for a service, you must provide your LDAP username and password when you access the service. This improves the security of the service. You can enable LDAP authentication for a service in the EMR console by performing simple operations. This frees you from the complex configuration of LDAP authentication.

Prerequisites

A DataLake or custom cluster is created. Hive and OpenLDAP are selected when you create the DataLake or custom cluster. For more information, see Create a cluster.

Enable LDAP authentication with one click

  1. An EMR user is added. For more information, see Add a user.

  2. Go to the Services tab.

    1. Log on to the EMR console.

    2. In the left-side navigation pane, click EMR on ECS.

    3. In the top navigation bar, select the region in which your cluster resides and select a resource group based on your business requirements.

    4. On the EMR on ECS page, find the desired cluster and click Services in the Actions column.

  3. Enable LDAP authentication.

    1. On the Services tab, click Status in the Hive section.

    2. Turn on enableLDAP.

      • Clusters of EMR V5.11.1 or a later minor version and clusters of EMR V3.45.1 or a later minor version

        1. In the Service Overview section, turn on enableLDAP.

        2. In the Confirm message, click OK.

      • Clusters of EMR V5.11.0 or an earlier minor version and clusters of EMR V3.45.0 or an earlier minor version

        1. In the Components section, find HiveServer, click the more > enableLDAP.

        2. In the dialog box that appears, enter an execution reason in the Execution Reason field and click OK.

        3. In the Confirm dialog box, click OK.

    3. Restart HiveServer.

      1. In the Components section of the Status tab, find HiveServer and click Restart in the Actions column.

      2. In the dialog box that appears, enter an execution reason in the Execution Reason field and click OK.

      3. In the Confirm dialog box, click OK.

  4. Connect to HiveServer.

    After LDAP authentication is enabled, you must provide LDAP authentication credentials when you connect to HiveServer.

    1. Log on to your cluster in SSH mode. For more information, see Log on to a cluster.

    2. Connect to HiveServer.

      • If you use the Beeline client, run the following command:

        beeline -u jdbc:hive2://master-1-1:10000 -n <user> -p <password>
      • If you use Java Database Connectivity (JDBC), run the following command:

        jdbc:hive2://master-1-1:10000/default;user=<user>;password=<password>
      Note

      Set <user> to the username for LDAP, and <password> to the password that corresponds to the username for LDAP. The username and password are configured in Step 1.

Manually enable LDAP authentication

You can use the enableLDAP switch or button in the EMR console to enable LDAP authentication with one click. However, if you use EMR of an earlier version or a self-managed LDAP server, you must manually enable LDAP authentication with HiveServer2.

On the Configure tab of the Hive section, click the hiveserver2-site.xml tab. Add the configuration items that are described in the following table. For more information, see Manage configuration items.

Configuration item

Example

Description

hive.server2.authentication

LDAP

The authentication method of HiveServer 2.

hive.server2.authentication.ldap.url

ldap://{ldap_hostname}:{port}

Example: ldap://master-1-1:10389

The URL that is used to connect to the LDAP service. Configure the URL based on your business requirements.

  • {ldap_hostname}: the hostname or IP address of the LDAP service. If you want to connect to the LDAP service of an EMR cluster, set the value to emr-header-1.

  • {port}: the port number of the LDAP service. If you want to connect to the LDAP service of an EMR cluster, set the value to 10389. If you want to connect to a self-managed LDAP server, set the value based on your business requirements.

hive.server2.authentication.ldap.baseDN

ou=people,o=emr

The base distinguished name (DN) of a user in the LDAP service. If you want to connect to the LDAP service of an EMR cluster, set the value to ou=people,o=emr. If you want to connect to a self-managed LDAP server, set the value based on your business requirements.