All Products
Search
Document Center

E-MapReduce:Manage LDAP authentication

Last Updated:Sep 28, 2023

After LDAP authentication is enabled for a service, you must provide your LDAP username and password when you access the service. This improves the security of the service. You can enable LDAP authentication for a service in the EMR console by performing simple operations. This frees you from the complex configuration of LDAP authentication.

Prerequisites

An E-MapReduce (EMR) cluster is created. The Trino and OpenLDAP services are selected when you create the cluster. For more information, see Create a cluster.

Precautions

  • If you cannot connect to a cluster of EMR V3.43.1 or EMR V5.9.1 for which LDAP authentication is enabled, a required parameter is not configured for the worker nodes in the cluster. To resolve the issue, access the master-1-1 node in the cluster and find the internal-communication.shared-secret parameter and its value from the Presto configuration file config.properties. Then, add the parameter and its value as a configuration item for the worker nodes in the core and task node groups of the cluster in the EMR console. For information about how to add a configuration item, see Add configuration items.

  • LDAP authentication conflicts with Kerberos authentication in Trino. Therefore, you can enable only LDAP authentication or Kerberos authentication for an EMR cluster in which the Trino service is deployed.

Procedure

  1. Add an EMR user. For more information, see Add a user.

  2. Go to the Services tab.

    1. Log on to the EMR console.

    2. In the left-side navigation pane, click EMR on ECS.

    3. In the top navigation bar, select the region in which your cluster resides and select a resource group based on your business requirements.

    4. On the EMR on ECS page, find the desired cluster and click Services in the Actions column.

  3. Enable LDAP authentication.

    1. On the Services tab, find the Trino service and click Status.

    2. Enable LDAP authentication.

      • For a cluster of EMR V5.11.1 or a later minor version or EMR V3.45.1 or a later minor version

        1. In the Service Overview section of the Status tab, turn on TrinoLDAP.

        2. In the message that appears, click OK.

      • For a cluster of EMR V5.11.0 or an earlier minor version or EMR V3.45.0 or an earlier minor version

        Important

        If your EMR cluster is of an earlier version in which no switch is available to enable LDAP authentication, you need to manually configure settings to enable LADP authentication by referring to the documentation of open source Spark in the community.

        1. In the Components section, find the TrinoMaster component, move the pointer over the more icon in the Actions column, and then click enableLDAP.

        2. In the dialog box that appears, configure the Execution Reason parameter and click OK.

        3. In the Confirm message, click OK.

    3. Restart TrinoMaster.

      1. In the Components section, find the TrinoMaster component and click Restart in the Actions column.

      2. In the dialog box that appears, configure the Execution Reason parameter and click OK.

      3. In the Confirm message, click OK.

  4. Connect to the Trino service.

    After LDAP authentication is enabled, you must provide LDAP authentication credentials when you access the Trino service in the cluster.

    1. Log on to the cluster in SSH mode. For more information, see Log on to a cluster.

    2. Run the following command to access Trino.

      Important

      After high security is enabled, Trino can be accessed by using only HTTPS. Port 9090 is disabled and the http-server.http.port configuration item becomes invalid. In this case, you must use port 7778 to access Trino.

      trino --server https://{fqdn}:7778 --keystore-path {keystore_location} \
      --keystore-password {keystore_passwd} --catalog hive --user {user} --password

      Parameter

      Description

      {fqdn}

      The domain name of keystore.

      To obtain the domain name of keystore, go to the Configure tab of the Trino service page and find the ldap.url parameter. The content in the format of master-1-1.c-xxxxxxx.cn-x******.emr.aliyuncs.com in the parameter value is the domain name of keystore.

      {keystore_location}

      The path used to store the keystore file.

      The path is the value of the http-server.https.keystore.path parameter on the config.properties subtab of the Configure tab. The value is fixed as /etc/emr/trino-conf/keystore.

      {keystore_passwd}

      The password used to access the keystore file.

      The password is the value of the http-server.https.keystore.key parameter on the config.properties subtab of the Configure tab. You must manually obtain the value. You can run the awk -F= '/http-server.https.keystore.key/{print $2}' ${TRINO_CONF_DIR}/config.properties command on the master-1-1 node to view the value.

      {user}

      The LDAP username that you specified in Step 1.

      After you run the preceding command, enter the password of the LDAP user that you specified in Step 1.

  5. Optional. Disable LDAP authentication.

    1. On the Services tab, find the Trino service and click Status.

    2. Disable LDAP authentication.

      • For a cluster of EMR V5.11.1 or a later minor version or EMR V3.45.1 or a later minor version

        1. In the Service Overview section of the Status tab, turn off TrinoLDAP.

        2. In the message that appears, click OK.

      • For a cluster of EMR V5.11.0 or an earlier minor version or EMR V3.45.0 or an earlier minor version

        1. In the Components section, find the TrinoMaster component, move the pointer over the more icon in the Actions column, and then click disableLDAP.

        2. In the dialog box that appears, configure the Execution Reason parameter and click OK.

        3. In the Confirm message, click OK.

    3. Restart TrinoMaster.

      1. In the Components section, find the TrinoMaster component and click Restart in the Actions column.

      2. In the dialog box that appears, configure the Execution Reason parameter and click OK.

      3. In the Confirm message, click OK.