Enabling LDAP authentication enhances Kyuubi security. This requires clients to provide a valid username and password to connect to a Kyuubi Server, start a Spark session, and run SQL queries. This prevents unauthorized access to sensitive data and features.
Prerequisites
-
Create a Kyuubi Gateway and a token. For more information, see Gateway management.
The following engine versions are recommended:
-
esr-4.x: esr-4.3.0 or later.
-
esr-3.x: esr-3.3.0 or later.
-
esr-2.x: esr-2.7.0 or later.
-
-
(Optional) If you want to use the OpenLDAP service of an Alibaba Cloud EMR on ECS cluster, you must create a cluster that includes the OpenLDAP service and add users. For more information, see Create a cluster and OpenLDAP user management.
Procedure
Step 1: Prepare the network
Before you begin, ensure network connectivity between EMR Serverless Spark and your Virtual Private Cloud (VPC). This allows the Kyuubi Gateway to connect to your LDAP service for authentication. For instructions, see Network connectivity between EMR Serverless Spark and other VPCs.
Step 2: Configure Kyuubi Gateway
To enable LDAP authentication for a Kyuubi Gateway, first stop the gateway. Then, edit the Kyuubi Gateway, select the connection name from the Normal Network Connection drop-down list, and add the following parameters in the Kyuubi Configuration section. After finishing editing, restart the Kyuubi Gateway to apply the changes.
kyuubi.authentication LDAP
kyuubi.authentication.ldap.baseDN <ldap_base_dn>
kyuubi.authentication.ldap.userDNPattern <ldap_user_pattern>
kyuubi.authentication.ldap.binddn <ldap_bind_dn>
kyuubi.authentication.ldap.bindpw <ldap_bind_pwd>
kyuubi.authentication.ldap.url ldap://<ldap_url>:<ldap_port>/
This table describes the parameters. Replace the placeholder values with your actual information.
If you are connecting to the OpenLDAP service of an Alibaba Cloud EMR on ECS cluster, you can refer to the example values.
|
Parameter |
Description |
Example |
|
|
Set to |
|
|
|
The base distinguished name (DN) for searches in the LDAP service. |
|
|
|
The pattern used to convert a login username to a full LDAP DN. |
For example, when a user named |
|
|
The DN used to bind to the LDAP service. |
|
|
|
The password for the bind DN. |
Find the value of the admin_pwd parameter in the configuration of the OpenLDAP service. |
|
|
The connection URL for the LDAP service. The format is |
Set Note
If LDAP is a high availability service, you must separate multiple LDAP connection addresses with a space. For example, |
Step 3: Connect to Kyuubi Gateway
This section provides two common connection methods. Before you connect to the Kyuubi Gateway, replace the following placeholders with your actual information:
-
<endpoint>: The Endpoint (Public) or Endpoint (Internal) information from the Overview tab.If you use the internal endpoint, access to the Kyuubi Gateway is restricted to resources within the same VPC.
-
<token>: The token information from the Tokens tab. <port>: The port number. The port number is 443 for access over a public endpoint and 80 for access over an internal same-region endpoint.-
<username>and<password>: The username and password for logging in to the LDAP service. If you are connecting to the OpenLDAP service of an Alibaba Cloud EMR on ECS cluster, use the username and password that you added on the Users page in EMR on ECS.
Method 1: Use kyuubi-beeline CLI
-
Specify the username and password directly: You can provide credentials directly as command-line arguments, but this method exposes the password.
kyuubi-beeline -u 'jdbc:hive2://<endpoint>:<port>/;transportMode=http;httpPath=cliservice/token/<token>' -n <username> -p <password> -
Enter the password interactively: For better security, omit the password from the
-poption. You will then be prompted to enter it manually, and the input characters will not be displayed.kyuubi-beeline -u 'jdbc:hive2://<endpoint>:<port>/;transportMode=http;httpPath=cliservice/token/<token>' -n <username> -p
Method 2: Use a JDBC URL
To connect from another application, such as a Java program, or to build a complete JDBC URL, use the following format.
jdbc:hive2://<endpoint>:<port>/;transportMode=http;httpPath=cliservice/token/<token>;user=<username>;password=<password>