All Products
Search

This Product

    E-MapReduce:Manage LDAP authentication

    Document Center

    E-MapReduce:Manage LDAP authentication

    Last Updated:Mar 26, 2026

    Enable Lightweight Directory Access Protocol (LDAP) authentication on Impala to require users to present credentials before connecting. This prevents unauthorized access in production clusters and removes the need to configure LDAP manually on each node.

    Prerequisites

    Before you begin, make sure that you have:

    • An EMR cluster running EMR V3.44.0 or later, or EMR V5.10.0 or later

    • Impala and OpenLDAP selected as optional services when the cluster was created

    For instructions on creating a cluster, see Create a cluster.

    Enable LDAP authentication

    Step 1: Go to the Services tab

    1. Log on to the EMR on ECS console.

    2. In the top navigation bar, select the region where your cluster resides and select a resource group.

    3. On the EMR on ECS page, find the cluster and click Services in the Actions column.

    Step 2: Add an EMR user

    The LDAP username and password you set here are the credentials you'll use to connect to Impala.

    1. Click the Users tab.

    2. Click Add User.

    3. In the Add User dialog box, select a RAM user from the Username drop-down list, then set Password and Confirm password.

    4. Click OK.

    For more details, see Add a user.

    Step 3: Enable ImpalaLDAP

    1. Click the Services tab, find Impala, and click Status.

    2. Turn on ImpalaLDAP:

      • EMR V5.11.1 or later / EMR V3.45.1 or later: In the Service Overview section, turn on ImpalaLDAP, then click OK in the confirmation message.

      • EMR V5.11.0, EMR V3.45.0, or earlier minor versions: In the Components section, find ImpalaRuntime and click enableLDAP in the Actions column. Enter an Execution Reason and click OK, then click OK again in the Confirm message.

    Step 4: Restart Impala

    1. In the upper-right corner of the Impala service page, choose More > Restart.

    2. Enter an Execution Reason and click OK.

    3. Click OK in the Confirm message.

    Connect to Impala with LDAP credentials

    After LDAP authentication is enabled, all Impala connections require LDAP credentials. Log on to your cluster using SSH, then use one of the following methods.

    Before connecting, get the Impalad node name from the Topology List of Impalad on the Status tab of the Impala service page. The list shows all available nodes—for example, core-1-1 and core-1-2. Pick any one of them.

    Impalad

    impala-shell

    impala-shell -i <Impalad node name> -l -u <Username> --auth_creds_ok_in_clear
    Parameter Description
    -i <Impalad node name> The Impalad node to connect to.
    -l Enables LDAP authentication.
    -u <Username> Your LDAP username, set in Step 2.
    --auth_creds_ok_in_clear Allows LDAP credentials to be sent without SSL/TLS encryption.

    JDBC

    beeline -u 'jdbc:hive2://<Impalad node name>:28000/default;transportMode=http;user=<Username>;password=<Password>'
    Parameter Description
    <Impalad node name> The Impalad node to connect to.
    28000 The JDBC port for Impala.
    transportMode=http The transport mode for the connection.
    <Username> Your LDAP username, set in Step 2.
    <Password> Your LDAP password, set in Step 2.

    Disable LDAP authentication

    1. On the Services tab, find Impala and click Status.

    2. Turn off ImpalaLDAP:

      • EMR V5.11.1 or later / EMR V3.45.1 or later: In the Service Overview section, turn off ImpalaLDAP, then click OK in the confirmation message.

      • EMR V5.11.0, EMR V3.45.0, or earlier minor versions: In the Components section, find ImpalaRuntime and click disableLDAP in the Actions column. Enter an Execution Reason and click OK, then click OK again in the Confirm message.

    3. Restart Impala:

      1. Choose More > Restart.

      2. Enter an Execution Reason and click OK.

      3. Click OK in the Confirm message.