After Lightweight Directory Access Protocol (LDAP) authentication is enabled for a service, you must provide your LDAP username and password when you access the service. This improves the security of the service. You can enable LDAP authentication for a service in the E-MapReduce (EMR) console by performing simple operations. This frees you from the complex configuration operations of LDAP authentication. This topic describes how to enable and disable LDAP authentication and how to access Impala from an EMR cluster after LDAP authentication is enabled.
Prerequisites
An EMR cluster is created, and Impala and OpenLDAP are selected from the optional services during cluster creation. The EMR cluster version is V3.44.0 or later, or V5.10.0 or later. For more information about how to create an EMR cluster, see Create a cluster.
Procedure
Go to the Services tab.
In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
On the EMR on ECS page, find the desired cluster and click Services in the Actions column.
Add an EMR user.
Click the Users tab.
On the Users tab, click Add User.
In the Add User dialog box, select an existing RAM user as an EMR user account from the Username drop-down list and specify Password and Confirm password.
Click OK.
For more information about how to add a user, see Add a user.
Enable LDAP authentication.
Click the Services tab.
On the Services tab, find Impala and click Status.
Turn on ImpalaLDAP.
Clusters of EMR V5.11.1 or a later minor version and clusters of EMR V3.45.1 or a later minor version
In the Service Overview section, turn on ImpalaLDAP.
In the message that appears, click OK.
Clusters of EMR V5.11.0, EMR V3.45.0, or a minor version earlier than EMR V5.11.0 or EMR V3.45.0
In the Components section, find ImpalaRuntime and click enableLDAP in the Actions column.
In the dialog box that appears, configure the Execution Reason parameter and click OK.
In the Confirm message, click OK.
Restart Impala.
In the upper-right corner of the Services tab of the Impala service page, choose .
In the dialog box that appears, configure the Execution Reason parameter and click OK.
In the Confirm message, click OK.
Connect to Impala.
After LDAP authentication is enabled, you must provide LDAP authentication credentials when you access Impala.
Log on to your cluster in SSH mode. For more information, see Log on to a cluster.
Perform the following operations to access Impala.
Use one of the following methods to access Impala:
impala-shell
impala-shell -i <Impalad node name> -l -u <Username> --auth_creds_ok_in_clearJDBC
beeline -u 'jdbc:hive2://<Impalad node name>:28000/default;transportMode=http;user=<Username>;password=<Password>'
Note<Impalad node name>: You can obtain the node name from Topology List of Impalad on the Status tab of the Impala service page in the EMR console. As shown in the following figure, the core-1-1 and core-1-2 nodes are available. You can select one of the two nodes to connect to Impala.<Username>and<Password>: Set Username and Password to the LDAP username and password that you specified in Step 2.
Optional: Disable LDAP authentication.
On the Services tab, find Impala and click Status.
Turn off enableLDAP.
Clusters of EMR V5.11.1 or a later minor version and clusters of EMR V3.45.1 or a later minor version
In the Service Overview section, turn off ImpalaLDAP.
In the message that appears, click OK.
Clusters of EMR V5.11.0, EMR V3.45.0, or a minor version earlier than EMR V5.11.0 or EMR V3.45.0
In the Components section, find ImpalaRuntime and click disableLDAP in the Actions column.
In the dialog box that appears, configure the Execution Reason parameter and click OK.
In the Confirm message, click OK.
Restart Impala.
In the upper-right corner of the Services tab of the Impala service page, choose .
In the dialog box that appears, configure the Execution Reason parameter and click OK.
In the Confirm message, click OK.