After LDAP authentication is enabled for a service, you must provide your LDAP username and password when you access the service. This improves the security of the service. The OpenLDAP service that is deployed in your EMR cluster is used to support LDAP authentication. You can enable LDAP authentication for a service in the EMR console by performing simple operations. This frees you from the complex configuration of LDAP authentication.

Prerequisites

A Hadoop cluster is created. For more information, see Create a cluster.

Enable LDAP authentication

Notice If you want to use Hue to access Impala for which LDAP authentication is enabled, additional configurations on Hue are required. For more information, see Configure Hue to connect to the execution engines for which LDAP authentication is enabled.
  1. Go to the Impala service page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
    5. In the left-side navigation pane, choose Cluster Service > Impala.
  2. Enable LDAP authentication.
    1. On the Impala service page, choose Actions > Enable LDAP Authentication in the upper-right corner.
    2. In the Cluster Activities dialog box, click OK.
  3. Click History in the upper-right corner.
    After Successful appears in the Status column, the operation is successful.
  4. Restart Impala.
    1. On the Impala service page, choose Actions > Restart All Components in the upper-right corner.
    2. In the Cluster Activities dialog box, specify Description and click OK.
    3. In the Confirm message, click OK.

Access Impala

After LDAP authentication is enabled, you must provide LDAP authentication credentials when you access Impala.

  1. Log on to your cluster in SSH mode. For more information, see Connect to the master node of an EMR cluster in SSH mode.
  2. Use one of the following methods to access Impala:
    • If you use the Impala shell tool, run the following command:
      impala-shell -l -u <user> --auth_creds_ok_in_clear
      Note user indicates your LDAP username. After LDAP authentication is enabled, you must provide your LDAP password when you access Impala. For information about how to obtain the LDAP password, see Manage user accounts.
    • If you use Java Database Connectivity (JDBC), run the following command:

      After LDAP authentication is enabled, you must provide LDAP authentication credentials when you access Impala by using JDBC. In addition, you must download the Impala JDBC driver from the official website of Cloudera and add the driver to the /usr/lib/hive-current/lib/ directory.

      To download the Impala JDBC driver, visit Impala JDBC Connector. 

      !connect jdbc:impala://emr-header-1:21050/default;AuthMech=3;UID=<user>;PWD=<password>;

Disable LDAP authentication

  1. Go to the Impala service page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
    5. In the left-side navigation pane, choose Cluster Service > Impala.
  2. Disable LDAP authentication.
    1. On the Impala service page, choose Actions > Disable LDAP Authentication in the upper-right corner.
    2. In the Cluster Activities dialog box, click OK.
  3. Click History in the upper-right corner.
    After Successful appears in the Status column, the operation is successful.
  4. Restart Impala.
    1. On the Impala service page, choose Actions > Restart All Components in the upper-right corner.
    2. In the Cluster Activities dialog box, specify Description and click OK.
    3. In the Confirm message, click OK.