Enable LDAP authentication for Presto - E-MapReduce - Alibaba Cloud Documentation Center

After Lightweight Directory Access Protocol (LDAP) authentication is enabled for a service, you must provide your LDAP username and password when you access the service. This improves the security of the service. You can enable LDAP authentication for a service in the EMR console by performing simple operations. This frees you from the complex configuration of LDAP authentication. This topic describes how to enable LDAP authentication for the Presto service and access Presto.

Prerequisites

An E-MapReduce (EMR) cluster is created. Presto and OpenLDAP are selected from the optional services when you create the cluster. For more information, see Create a cluster.

Precautions

This feature applies only to common clusters. You cannot enable LDAP authentication for high-security clusters.

Procedure

Add an EMR user.
1. Log on to the EMR on ECS console.
2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
3. On the EMR on ECS page, find the desired cluster and click Nodes in the Actions column.
4. Click the Users tab.
5. Add a user. For more information, see Add a user.
Enable LDAP authentication.
1. Click the Services tab.
2. On the Services tab, find the Presto service and click Status.
3. In the Service Overview section of the Status tab, turn on PrestoLDAP.
4. In the message that appears, click OK.
5. Restart PrestoMaster.
  1. In the Components section of the Status tab, find PrestoMaster and click Restart in the Actions column.
  2. In the dialog box that appears, configure the Execution Reason parameter and click OK.
  3. In the Confirm message, click OK.

Access the Presto service.

After LDAP authentication is enabled, you must provide LDAP authentication credentials when you access the Presto service.

Log on to your cluster in SSH mode. For more information, see Log on to a cluster.

Run the following command to access the Presto service.

Important

After you enable LDAP authentication, you can access the Presto service only over HTTPS. The HTTP port 8889 is inaccessible, and the specified http-server.http.port is overwritten by http-server.https.port. You can use only the HTTPS port 7779 to access the Presto service.

presto --server https://{fqdn}:7779 --keystore-path {keystore_location} \
--keystore-password {keystore_passwd} --catalog hive --user {user} --password

Parameter	Description
{fqdn}	The fully qualified domain name (FQDN) of the master-1-1 node. The FQDN must be in the `master-1-1.c-xxxxxxx.cn-xxxxxx.emr.aliyuncs.com` format. You can run the `hostname -f` command to obtain the FQDN.
{keystore_location}	The path used to store the keystore file. The value of the `http-server.https.keystore.path` parameter in the config.properties file. The value is fixed as `/etc/emr/presto-conf/keystore`.
{keystore_passwd}	The password used to access the keystore file. The value of the `http-server.https.keystore.key` parameter in the config.properties file. You need to obtain the value on your own. You can run the `awk -F= '/http-server.https.keystore.key/{print $2}' ${PRESTO_CONF_DIR}/config.properties` command on the master-1-1 node to obtain the value.
{user}	The LDAP username that you specified in Step 1.

After you run the preceding command, enter the password of the LDAP user that you specified in Step 1.

Optional. Disable LDAP authentication.
1. In the Service Overview section of the Status tab on the Presto service page, turn off PrestoLDAP.
2. In the message that appears, click OK.
3. Restart PrestoMaster.
  1. In the Components section of the Status tab, find PrestoMaster and click Restart in the Actions column.
  2. In the dialog box that appears, configure the Execution Reason parameter and click OK.
  3. In the Confirm message, click OK.