edit-icon download-icon

LDAP authentication

Last Updated: Mar 23, 2018

LDAP Identity Authentication

EMR cluster also supports authentication based on LDAP, which manages the account system through LDAP. Kerberos client uses LDAP account information as identity for authentication.

LDAP account can be shared with other services, such as Hue. Users must only configure it on the Kerberos server. Users can use the LDAP service (ApacheDS) that has been configured in the EMR cluster or use the existing LDAP service. Users must only configure it on the Kerberos server.

Here’s an example of an LDAP service (ApacheDS) that has been started by default in a cluster:

  • Configure the basic environment in Gateway management (the same as that in the second part of the RAM, which can be skipped if it has been configured).

    The only difference is that auth_type in /etc/has/has-client.conf needs to be modified to LDAP

    Or the user can also not modify /etc/has/has-client.conf. The user test can copy the file and modify auth_type with their account and specify the path through environment variables, for example:

    export HAS_CONF_DIR=/home/test/has-confConfigure LDAP manager user/password to Kerberos server end (Has) in the EMR console.

    Enter the EMR Console Cluster Configuration Management - HAS software, configure the LDAP manager user name and password to the corresponding bind_dn andbind_password fields and restart the HAS service.

    In this example, the LDAP service is the ApacheDS in the EMR cluster, and related fields can be obtained from ApacheDS.

  • EMR cluster manager adds user information to LDAP

    • Obtain ApacheDS LDAP service and manager user and passwordmanager_dn and manager_password can be seen in EMR Console Cluster Configuration Management/ApacheDS Configuration
    • Add user test and password in ApacheDS

      1. Log on to root account in the cluster emr-header-1 node
      2. Create a file test.ldif with the following content:
      3. dn: cn=test,ou=people,o=emr
      4. objectclass: inetOrgPerson
      5. objectclass: organizationalPerson
      6. objectclass: person
      7. objectclass: top
      8. cn: test
      9. sn: test
      10. mail: test@example.com
      11. userpassword: test1234
      12. #Add to LDAP, in which -w denotes that password is changed to manager_password
      13. ldapmodify -x -h localhost -p 10389 -D "uid=admin,ou=system" -w "Ns1aSe" -a -f test.ldif
      14. #Delete test.ldif
      15. rm test.ldif

      Provide added user name/passowrd to user test.

  • User test configures LDAP information

    1. Log on the test account of Gateway
    2. # Run the script
    3. sh add_ldap.sh test

    Attachment: Script add_ldap.sh (modifying LDAP account information)

    1. user=$1
    2. if [[ `cat /home/$user/.bashrc | grep 'export LDAP_'` == "" ]];then
    3. echo "
    4. #Modify to the user test's LDAP_USER/LDAP_PWD
    5. export LDAP_USER=YOUR_LDAP_USER
    6. export LDAP_PWD=YOUR_LDAP_USER
    7. " >>~/.bashrc
    8. else
    9. echo $user LDAP user info has been added to .bashrc
    10. fi
  • User test access to the cluster services

    Execute HDFS commands

    1. [test@iZbp1cyio18s5ymggr7yhrZ ~]$ hadoop fs -ls /
    2. 17/11/19 13:33:33 INFO client.HasClient: The plugin type is: LDAP
    3. Found 4 items
    4. drwxr-x--- - has hadoop 0 2017-11-18 21:12 /apps
    5. drwxrwxrwt - hadoop hadoop 0 2017-11-19 13:33 /spark-history
    6. drwxrwxrwt - hadoop hadoop 0 2017-11-19 12:41 /tmp
    7. drwxrwxrwt - hadoop hadoop 0 2017-11-19 12:41 /user

    Run Hadoop/Spark job.

Thank you! We've received your feedback.