After LDAP authentication is enabled for a service, you must provide your LDAP username and password when you access the service. This improves the security of the service. You can enable LDAP authentication for a service in the EMR console by performing simple operations. This frees you from the complex configuration of LDAP authentication.

Prerequisites

A Hadoop cluster is created in EMR V3.34.0 or later V3.X.X, or in EMR V4.8.0 or later V4.X.X. For more information, see Create a cluster.

Enable LDAP authentication

Notice If you want to use Hue to access Presto for which LDAP authentication is enabled, additional configurations on Hue are required. For more information, see Configure Hue to connect to execution engines for which LDAP authentication is enabled.
  1. Go to the Presto service page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
    5. In the left-side navigation pane, choose Cluster Service > Presto.
  2. Enable LDAP authentication.
    1. On the Presto service page, choose Actions > Enable LDAP Authentication in the upper-right corner.
    2. In the Cluster Activities dialog box, click OK.
  3. Click History in the upper-right corner.
    After Successful appears in the Status column, the operation is successful.
  4. Restart PrestoMaster.
    1. On the Presto service page, choose Actions > Restart PrestoMaster in the upper-right corner.
    2. In the Cluster Activities dialog box, specify Description and click OK.
    3. In the Confirm message, click OK.

Access Presto

After LDAP authentication is enabled, you must provide LDAP authentication credentials when you access Presto.

  1. Connect to the master node of your cluster in SSH mode. For more information, see Connect to the master node of an EMR cluster in SSH mode.
  2. Run the following command to access Presto.

    HTTP port 9090 is inaccessible for Presto with LDAP authentication enabled. You can use only HTTPS port 7778 to access Presto.

    presto --server https://emr-header-1.cluster-xxxx:7778 --keystore-path /etc/ecm/presto-conf/keystore --keystore-password <keystore_password> --catalog hive --user <user> --password
    • emr-header- 1.cluster-xxxx indicates the long domain name of the node where the PrestoMaster component resides. You can run the hostname command on the node to obtain the long domain name.
    • keystore_password indicates the keystore password. You can go to the Presto service page in the EMR console and view the value of the keystore_password parameter on the Configure tab.
    • user indicates your LDAP username.

    After you run the preceding command, you must enter the LDAP password. For information about how to obtain the LDAP password, see Manage user accounts.

Disable LDAP authentication

  1. Go to the Presto service page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
    5. In the left-side navigation pane, choose Cluster Service > Presto.
  2. Disable LDAP authentication.
    1. On the Presto service page, choose Actions > Disable LDAP Authentication in the upper-right corner.
    2. In the Cluster Activities dialog box, click OK.
  3. Click History in the upper-right corner.
    After Successful appears in the Status column, the operation is successful.
  4. Restart PrestoMaster.
    1. On the Presto service page, choose Actions > Restart PrestoMaster in the upper-right corner.
    2. In the Cluster Activities dialog box, specify Description and click OK.
    3. In the Confirm message, click OK.