E-MapReduce:Manage LDAP authentication

Prerequisites

Before you begin, ensure that you have:

• An EMR cluster with Trino and OpenLDAP selected at creation time. For more information, see Create a cluster.

• An EMR user added to the cluster. For more information, see Add a user.

Enable LDAP authentication

1. Log on to the EMR console.

2. In the left-side navigation pane, click EMR on ECS.

3. In the top navigation bar, select the region where your cluster resides and select a resource group.

4. Find the cluster, and click Services in the Actions column.

5. On the Services tab, find the Trino service and click Status.

6. Enable LDAP authentication based on your cluster version:

   • EMR V5.11.1 or later, or EMR V3.45.1 or later In the Service Overview section, turn on TrinoLDAP. In the dialog box that appears, click OK.

   • EMR V5.11.0 or earlier, or EMR V3.45.0 or earlier > Important: If your cluster version has no TrinoLDAP toggle, manually configure LDAP authentication by following the open-source Spark community documentation. In the Components section, find TrinoMaster, click the icon in the Actions column, and then click enableLDAP. In the dialog box that appears, enter an Execution Reason and click OK. In the Confirm dialog box, click OK.

7. Restart TrinoMaster: In the Components section, find TrinoMaster and click Restart in the Actions column. Enter an Execution Reason, click OK, and then click OK in the Confirm dialog box.

Connect to Trino with LDAP credentials

After high security is enabled, Trino is accessible only over HTTPS on port 7778. Port 9090 is disabled and the http-server.http.port configuration item becomes invalid.

1. Log on to the cluster in SSH mode. For more information, see Log on to a cluster.

2. Run the following command to connect to Trino:

   Placeholder	Description	How to get the value
   <fqdn>	The fully qualified domain name (FQDN) of the keystore. Format: master-1-1.c-xxxxxxx.cn-x*****.emr.aliyuncs.com	On the Configure tab of the Trino service page, find the ldap.url parameter. The FQDN is the hostname portion of the parameter value.
   <keystore_location>	The path to the keystore file. Fixed value: /etc/emr/trino-conf/keystore	On the Configure tab, open the config.properties subtab and find http-server.https.keystore.path.
   <keystore_passwd>	The password for the keystore file	On the Configure tab, open the config.properties subtab and find http-server.https.keystore.key. Alternatively, run the following command on the master-1-1 node: awk -F= '/http-server.https.keystore.key/{print $2}' ${TRINO_CONF_DIR}/config.properties
   <user>	Your LDAP username	The username you specified when adding the EMR user

   trino --server https://<fqdn>:7778 \
     --keystore-path <keystore_location> \
     --keystore-password <keystore_passwd> \
     --catalog hive \
     --user <user> \
     --password

   Replace the placeholders with the values described in the following table.

3. When prompted, enter the password for the LDAP user.

Disable LDAP authentication (optional)

1. On the Services tab, find the Trino service and click Status.

2. Disable LDAP authentication based on your cluster version:

   • EMR V5.11.1 or later, or EMR V3.45.1 or later In the Service Overview section, turn off TrinoLDAP. In the dialog box that appears, click OK.

   • EMR V5.11.0 or earlier, or EMR V3.45.0 or earlier In the Components section, find TrinoMaster, click the icon in the Actions column, and then click disableLDAP. In the dialog box that appears, enter an Execution Reason and click OK. In the Confirm dialog box, click OK.

3. Restart TrinoMaster: In the Components section, find TrinoMaster and click Restart in the Actions column. Enter an Execution Reason, click OK, and then click OK in the Confirm dialog box.

Troubleshooting