This topic describes how to manage E-MapReduce (EMR) user accounts on the Users page of the EMR console.

Background information

Information about EMR user accounts is stored in the built-in OpenLDAP service of an EMR cluster. You can use the information to authenticate EMR users in the EMR cluster.

If you click the link of an open source component on the Connect Strings page to access the web UI of the component, you must use an EMR user account for identity authentication. If you enable LDAP authentication, you must also use an EMR user account for identity authentication. If you configure LDAP as the user source for Ranger, you can manage the permissions of user accounts that are listed on the Users page. You can use EMR user accounts to run kinit commands on a high-security cluster.

The Users page lists all EMR user accounts. RAM users that correspond to the EMR user accounts are classified into the following types based on the permissions that are granted to the RAM users in the EMR console:
  • Administrator: an Alibaba Cloud account, or a RAM user that is granted the emr:ManageUserPlatform and emr:CreateLdapUser permissions, such as a RAM user to which the AliyunEMRFullAccess policy is attached. An administrator can view the information about all user accounts that are configured in a cluster. The administrator can also add or remove a user account, reset the password of a user account, modify the remarks of a user account, and download the authentication credentials of a user account. Authentication credentials can be downloaded only in a high-security cluster.
  • Common user: RAM users to which other policies, such as AliyunEMRDevelopAccess, are attached. A common user can only view the information about the EMR user account whose username is the same as the username of the common user, reset the password, modify the remarks, and download the authentication credentials of the user account. A common user cannot add or remove a user account.

Prerequisites

  • An EMR cluster is created. For more information, see Create a cluster.
  • RAM users are created. For more information, see Create a RAM user.
    Note You must create a RAM user first. Only an EMR user account whose username is the same as the username of a RAM user can be added to the Users page of the EMR console.

Limits

Only Hadoop clusters, Data Science clusters, Flink clusters, and Druid clusters support the management of EMR user accounts.

Add a user account

Notice If you use a RAM user to log on to the EMR console, you must grant the ram:ListUsers permission to the RAM user before you add a user account. You can attach the AliyunRAMReadOnlyAccess policy to the RAM user in the RAM console by using your Alibaba Cloud account. You can also configure a custom policy to grant the ram:ListUsers permission to the RAM user.
  1. Go to the Cluster Overview page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
  2. In the left-side navigation pane, click Users.
  3. On the Users page, click Add User in the upper-left corner.
  4. In the Add User dialog box, select an existing RAM user as an EMR user account from the Username drop-down list and specify Password and Confirm password.
  5. Click OK.

Remove a user account

  1. Go to the Cluster Overview page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
  2. In the left-side navigation pane, click Users.
  3. On the Users page, find the user account that you want to remove and click Delete in the Action column.
  4. In the Delete message, click OK.

Reset the password of a user account

You can reset the password of a user account.
Notice This operation may cause tasks that are running to fail.
  1. Go to the Cluster Overview page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
  2. In the left-side navigation pane, click Users.
  3. On the Users page, find the user account whose password you want to reset and click Reset Password in the Action column.
  4. In the Set Password dialog box, enter the new password in the Password and Confirm Password fields.
  5. Click OK.

Download the authentication credentials of a user account

Notice Authentication credentials can be downloaded only in high-security clusters. You can download the keytab file of a user account.
  1. Go to the Cluster Overview page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
  2. In the left-side navigation pane, click Users.
  3. On the Users page, find the user account whose authentication credentials you want to download and click Download Authentication Credentials in the Action column.

Update user account configurations

You can update the user account configurations that fail to take effect at the earliest opportunity due to network latency. You can also click Update to synchronize the added OpenLDAP user accounts to the user account list on the Users page.

On the Users page, click Update to update the user account configurations.

Manage Linux user accounts

You can use this feature for high-security clusters with a self-managed LDAP server deployed. When you add a Linux user account, a Linux user account with a specific name is automatically created for each node in the cluster. This account is also available on the nodes that are added when you scale out the cluster in the future.

  1. In the upper-right corner of the Users page, click Linux Users.
  2. In the Linux User Management dialog box, enter usernames. Separate multiple usernames with semicolons (;).
  3. Click Add.

FAQ

Q: Can different clusters share an EMR user account?

A: No, different clusters cannot share an EMR user account. EMR user accounts listed on the Users page are valid only for the current cluster. For example, EMR user account A created in cluster-1 cannot be shared with cluster-2. To use EMR user account A in cluster-2, you must create this account in cluster-2.