All Products
Search

This Product

    E-MapReduce:DLF-Auth

    Document Center

    E-MapReduce:DLF-Auth

    Last Updated:Mar 26, 2026

    DLF-Auth is a Data Lake Formation (DLF) component that enforces fine-grained permission management on your EMR cluster. Once enabled, it controls access to databases, tables, columns, and functions through DLF—giving you centralized permission management across your data lake.

    DLF is a fully managed service that helps you build cloud-based data lakes, providing centralized permission management and metadata management. For more information about DLF, see What is Data Lake Formation.

    DLF-EMR

    Limitations

    • DLF allows only RAM users to manage permissions. Add RAM users through the user management feature in the EMR console.

    • DLF-Auth and Ranger cannot control the same compute engine simultaneously. If you enable Hive or Spark for DLF-Auth, you cannot enable or disable the same engine for Ranger, and vice versa.

    • For supported regions, see Supported regions and endpoints.

    Supported EMR versions and compute engines

    EMR versionHiveSparkPrestoImpala
    EMR V3.39.0 and earlierSupportedNot supportedNot supportedNot supported
    EMR V3.40.0SupportedSupportedSupportedNot supported
    EMR V3.41.0–V3.43.1SupportedSupportedNot supportedNot supported
    EMR V3.44.0 and laterSupportedSupportedSupportedSupported
    EMR V5.5.0 and earlierSupportedNot supportedNot supportedNot supported
    EMR V5.6.0SupportedSupportedSupportedNot supported
    EMR V5.7.0–V5.9.1SupportedSupportedNot supportedNot supported
    EMR V5.10.0 and laterSupportedSupportedSupportedSupported

    Prerequisites

    You have created an E-MapReduce cluster and selected the OpenLDAP service. For more information, see Create a cluster.

    Note

    On the software configuration page, use the default DLF Unified Metadata for Metadata.

    Before you begin, ensure that you have:

    • An EMR cluster with the OpenLDAP service. For more information, see Create a cluster.

    Note

    When creating the EMR cluster, select DLF Unified Metadata for Metadata in the Software Configuration step.

    Enable DLF-Auth

    Step 1: Enable Hive in DLF-Auth

    1. In the EMR console, click EMR on ECS in the left-side navigation pane.

    2. Select your region and resource group, then find your cluster and click Services in the Actions column.

    3. On the Services tab, find DLF-Auth and click Status.

    4. In the Service Overview section, turn on enableHive and click OK in the confirmation message.

    5. Restart HiveServer:

      1. On the Services tab, find Hive and click Status.

      2. In the Components section, find HiveServer and click Restart in the Actions column.

      3. Enter an execution reason and click OK, then click OK again in the confirmation dialog.

    Step 2: Add a RAM user

    DLF allows only RAM users to manage permissions. Use the user management feature to add a RAM user to your cluster.

    1. In the EMR console, navigate to your cluster and click Services in the Actions column.

    2. Click the Users tab, then click Add User.

    3. In the Add User dialog box, select a RAM user from the Username drop-down list and set Password and Confirm Password.

    4. Click OK.

    Step 3: Verify and grant permissions

    Important

    If the RAM user has the AliyunDLFDssFullAccess or AdministratorAccess policy attached, the user already has access to all DLF resources. Skip this step.

    Verify current permissions

    1. Log on to your cluster via SSH. For more information, see Log on to a cluster.

    2. Connect to HiveServer2:

      beeline -u jdbc:hive2://master-1-1:10000 -n <user> -p <password>

      Replace <user> and <password> with the credentials you set in Step 2.

    3. Query an existing table:

      select * from testdb.test;

      Replace testdb.test with your actual table name. If the RAM user lacks permissions, an error is returned.

      error

    Grant permissions in the DLF console

    1. Log on to the DLF console.

    2. In the left-side navigation pane, choose Data Permission > Data Permissions.

    3. Click Add Permission and configure the parameters:

      ParameterDescriptionExample
      Principal TypeThe type of identity to grant permissions to.RAM User/Role (default)
      Choose PrincipalThe RAM user to grant permissions to.Select the user added in Step 2
      Authorization MethodHow the permission is scoped.Resource Authorization (default)
      Resource TypeThe type of resource to control access to.Metadata table
      Data PermissionThe operation the user is permitted to perform.Select
      Granted PermissionThe permission that is granted to the principal.

    4. Click OK.

    Verify that permissions take effect

    1. Run the table query again from step 3. The query succeeds, confirming the Select permission is in effect.

    Step 4 (Optional): Enable LDAP authentication for Hive

    After enabling DLF-Auth, enable Lightweight Directory Access Protocol (LDAP) authentication for Hive so that all users connecting to Hive must authenticate before running queries.

    1. In the EMR console, navigate to your cluster and click Services in the Actions column.

    2. On the Services tab, click Status in the Hive section.

    3. Enable enableLDAP based on your EMR version:

      • EMR V5.11.1 and later minor versions, or EMR V3.45.1 and later minor versions: In the Service Overview section, turn on enableLDAP and click OK.

      • EMR V5.11.0 and earlier minor versions, or EMR V3.45.0 and earlier minor versions: In the Components section, find HiveServer, click more > enableLDAP, enter an execution reason, and click OK in both dialogs.

    4. Restart HiveServer:

      1. In the Components section, find HiveServer and click Restart in the Actions column.

      2. Enter an execution reason and click OK, then click OK again in the confirmation dialog.

    FAQ

    How do I configure the catalog ID in DLF-Auth when using multiple catalogs?

    Configure the dlf.catalog.id key for each compute engine separately in DLF-Auth. Presto is not supported for this configuration.

    Configure Hive

    1. In the EMR console, navigate to your cluster and click Services in the Actions column.

    2. On the Services tab, find DLF-Auth and click Configure.

    3. Click the dlf-hive-security.xml tab, then click Add Configuration Item.

    4. Set Key to dlf.catalog.id and Value to the DLF catalog ID associated with your cluster. To find the catalog ID, go to the Configure tab of the Hive service page and look up the value of dlf.catalog.id.

    5. Click OK, enter an execution reason, and click Save.

    6. Restart HiveServer:

      1. Go to the Status tab of the Hive service page.

      2. In the Components section, find HiveServer and click Restart in the Actions column.

      3. Enter an execution reason and click OK, then click OK again.

    Configure Spark

    1. On the Services tab, find DLF-Auth and click Configure.

    2. Click the dlf-spark-security.xml tab, then click Add Configuration Item.

    3. Set Key to dlf.catalog.id and Value to the DLF catalog ID associated with your cluster. To find the catalog ID, go to the Configure tab of the Spark service page and look up the value of dlf.catalog.id.

    4. Click OK, enter an execution reason, and click Save.

    5. Restart Spark Thrift Server:

      1. Go to the Status tab of the Spark service page.

      2. In the Components section, find SparkThriftServer and click Restart in the Actions column.

      3. Enter an execution reason and click OK, then click OK again.