All Products
Search

This Product

    E-MapReduce:Manage LDAP authentication

    Document Center

    E-MapReduce:Manage LDAP authentication

    Last Updated:Mar 25, 2026

    Enabling Lightweight Directory Access Protocol (LDAP) authentication for a service requires an LDAP username and password on each access, which strengthens service security. E-MapReduce (EMR) lets you enable LDAP authentication for the Presto service with a single toggle — no manual LDAP configuration required.

    Limitations

    LDAP authentication is supported only on common clusters. High-security clusters cannot enable LDAP authentication.

    Prerequisites

    Before you begin, ensure that you have:

    • An EMR cluster running on ECS

    • Presto and OpenLDAP selected as optional services when the cluster was created. For more information, see Create a cluster

    Step 1: Add an EMR user

    1. Log on to the EMR on ECS console.

    2. In the top navigation bar, select the region where your cluster resides and select a resource group.

    3. On the EMR on ECS page, find the target cluster and click Nodes in the Actions column.

    4. Click the Users tab.

    5. Add a user. For more information, see Add a user.

    Step 2: Enable LDAP authentication

    1. Click the Services tab.

    2. Find the Presto service and click Status.

    3. In the Service Overview section, turn on PrestoLDAP.

    4. In the confirmation message, click OK.

    5. Restart PrestoMaster:

      1. In the Components section, find PrestoMaster and click Restart in the Actions column.

      2. In the dialog box, set the Execution Reason parameter and click OK.

      3. In the Confirm dialog box, click OK.

    Step 3: Connect to Presto

    SSH into your cluster and run the following command to connect to Presto. For SSH access instructions, see Log on to a cluster.

    Important

    After enabling LDAP authentication, Presto is accessible only over HTTPS on port 7779. The HTTP port 8889 is disabled, and http-server.http.port is overwritten by http-server.https.port.

    presto --server https://<fqdn>:7779 \
  --keystore-path <keystore_location> \
  --keystore-password <keystore_passwd> \
  --catalog hive \
  --user <user> \
  --password

    Replace the placeholders with the values described in the following table.

    PlaceholderDescriptionHow to get
    <fqdn>The fully qualified domain name (FQDN) of the master-1-1 node. Format: master-1-1.c-xxxxxxx.cn-xxxxxx.emr.aliyuncs.com.Run hostname -f on the master-1-1 node.
    <keystore_location>The path to the keystore file. This is the value of http-server.https.keystore.path in config.properties.Fixed value: /etc/emr/presto-conf/keystore.
    <keystore_passwd>The password for the keystore file. This is the value of http-server.https.keystore.key in config.properties.Run awk -F= '/http-server.https.keystore.key/{print $2}' ${PRESTO_CONF_DIR}/config.properties on the master-1-1 node.
    <user>The LDAP username you added in Step 1.

    When prompted, enter the password for the LDAP user you added in Step 1.

    Step 4: Disable LDAP authentication (optional)

    1. On the Presto service page, click the Status tab.

    2. In the Service Overview section, turn off PrestoLDAP.

    3. In the confirmation message, click OK.

    4. Restart PrestoMaster:

      1. In the Components section, find PrestoMaster and click Restart in the Actions column.

      2. In the dialog box, set the Execution Reason parameter and click OK.

      3. In the Confirm dialog box, click OK.