After LDAP authentication is enabled for a service, you must provide your LDAP username and password when you access the service. This improves the security of the service. The OpenLDAP service that is deployed in your EMR cluster is used to support LDAP authentication. You can enable LDAP authentication for a service in the EMR console by performing simple operations. This frees you from the complex configuration of LDAP authentication.

Prerequisites

Background information

This topic describes how to enable and disable LDAP authentication for Ranger Admin and Ranger UserSync.

Enable LDAP authentication for Ranger Admin

  1. Go to the Ranger service page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
    5. In the left-side navigation pane, choose Cluster Service > RANGER.
  2. Enable LDAP authentication.
    1. On the Ranger service page, choose Actions > Admin Enable LDAP Authentication in the upper-right corner.
    2. In the Cluster Activities dialog box, click OK.
  3. Click History in the upper-right corner.
    After Successful appears in the Status column, the operation is successful.
  4. Restart Ranger Admin.
    1. On the Ranger service page, choose Actions > Restart RangerAdmin in the upper-right corner.
    2. In the Cluster Activities dialog box, specify Description and click OK.
    3. In the Confirm message, click OK.
    After LDAP authentication is enabled for Ranger Admin, you must provide your LDAP username and password when you access the Ranger web UI. The admin user does not change. After you access the Ranger web UI, you have only common user permissions. You can apply for more required permissions from the admin user.

Disable LDAP authentication for Ranger Admin

  1. Go to the Ranger service page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
    5. In the left-side navigation pane, choose Cluster Service > RANGER.
  2. Disable LDAP authentication.
    1. On the Ranger service page, choose Actions > Admin Disable LDAP Authentication in the upper-right corner.
    2. In the Cluster Activities dialog box, click OK.
  3. Click History in the upper-right corner.
    After Successful appears in the Status column, the operation is successful.
  4. Restart Ranger Admin.
    1. On the Ranger service page, choose Actions > Restart RangerAdmin in the upper-right corner.
    2. In the Cluster Activities dialog box, specify Description and click OK.
    3. In the Confirm message, click OK.

Enable LDAP authentication for Ranger UserSync

  1. Go to the Ranger service page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
    5. In the left-side navigation pane, choose Cluster Service > RANGER.
  2. Enable LDAP authentication.
    1. On the Ranger service page, choose Actions > UserSync Enable LDAP Authentication in the upper-right corner.
    2. In the Cluster Activities dialog box, click OK.
  3. Click History in the upper-right corner.
    After Successful appears in the Status column, the operation is successful.
  4. Restart Ranger UserSync.
    1. On the Ranger service page, choose Actions > Restart RangerUserSync in the upper-right corner.
    2. In the Cluster Activities dialog box, specify Description and click OK.
    3. In the Confirm message, click OK.
    After LDAP authentication is enabled for Ranger UserSync, user information in LDAP is synchronized to Ranger. This way, when you configure a policy on the Ranger web UI, you can authorize users or user groups in LDAP to access components in EMR.
    You can choose Settings > Users/Groups on the Ranger web UI to view the user information synchronized from LDAP. settings
    You can also choose Audit > User Sync on the Ranger web UI to check whether a user is synchronized from LDAP. If the value of Sync Source for a user is LDAP/AD, the user is synchronized from LDAP. LDAP

Disable LDAP authentication for Ranger UserSync

  1. Go to the Ranger service page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
    5. In the left-side navigation pane, choose Cluster Service > RANGER.
  2. Disable LDAP authentication.
    1. On the Ranger service page, choose Actions > UserSync Disable LDAP Authentication in the upper-right corner.
    2. In the Cluster Activities dialog box, click OK.
  3. Click History in the upper-right corner.
    After Successful appears in the Status column, the operation is successful.
  4. Restart Ranger UserSync.
    1. On the Ranger service page, choose Actions > Restart RangerUserSync in the upper-right corner.
    2. In the Cluster Activities dialog box, specify Description and click OK.
    3. In the Confirm message, click OK.