All Products
Search

This Product

    E-MapReduce:Manage OpenLDAP users

    Document Center

    E-MapReduce:Manage OpenLDAP users

    Last Updated:Mar 26, 2026

    EMR clusters store user account information in a built-in OpenLDAP service for identity authentication. Use the Users tab in the EMR console to add, remove, and manage user accounts.

    When to use EMR user accounts

    EMR user accounts are required in the following scenarios:

    • Web UI access: Authenticate when you click a link on the Connect Strings page to open a component web UI.

    • LDAP authentication: Authenticate when LDAP authentication is enabled for a component.

    • Ranger authorization: Manage permissions for user accounts when Ranger's user source is set to LDAP.

    • Kerberos operations: Run kinit commands on a high-security cluster.

    User roles

    Your permissions on the Users tab depend on the RAM user's role in the EMR console:

    Role Who Permissions
    Administrator Alibaba Cloud account, or RAM user with emr:ManageUserPlatform and emr:CreateLdapUser permissions (for example, a RAM user with the AliyunEMRFullAccess policy) View all user accounts; add and remove users; reset passwords; modify remarks
    Common user RAM users with other policies (for example, AliyunEMRDevelopAccess) View own account only; reset own password; modify own remarks. Cannot add or remove users

    Prerequisites

    Before you begin, ensure that you have:

    • An EMR cluster created with the OpenLDAP service selected. For more information, see Create a cluster.

    • A RAM user created. Only an EMR user account whose username matches an existing RAM user's username can be added. For more information, see Create a RAM user.

    Add a user

    Important

    If you log on to the EMR console as a RAM user, grant the ram:ListUsers permission to that RAM user before adding a user account. Attach the AliyunRAMReadOnlyAccess policy in the RAM console using your Alibaba Cloud account, or configure a custom policy that grants ram:ListUsers.

    1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.

    2. In the top navigation bar, select the region where your cluster resides and select a resource group.

    3. On the EMR on ECS page, find the target cluster and click its name in the Cluster ID/Name column.

    4. Click the Users tab.

    5. Click Add User.

    6. In the Add User dialog box, select an existing RAM user from the Username drop-down list, then configure Password and Confirm Password.

    7. Click OK.

    Remove a user

    1. On the Users tab, find the user and click Delete in the Actions column.

    2. In the Delete User message, click OK.

    Reset a user's password

    Important

    This operation may cause tasks that are running to fail.

    1. On the Users tab, find the user and click Reset Password in the Actions column.

    2. In the Reset User Password dialog box, configure Password and Confirm Password.

    3. Click OK.

    What's next

    If you use a high-security cluster, configure Kerberos and perform operations such as exporting keytab files. For more information, see Basic Kerberos usage.