Using ApacheDS to Authenticate Presto Users

Enable LDAPS

## Create a keystore
> cd /var/lib/apacheds-2.0.0-M24/default/conf/
> keytool -genkeypair -alias apacheds -keyalg RSA -validity 7 -keystore ads.keystore

Enter the keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: apacheds
What is the name of your organizational unit?
[Unknown]: apacheds
What is the name of your organization?
[Unknown]: apacheds
What is the name of your City or Locality?
[Unknown]: apacheds
What is the name of your State or Province?
[Unknown]: apacheds
What is the two-letter country code for this unit?
[Unknown]: CN
Is CN=apacheds, OU=apacheds, O=apacheds, L=apacheds, ST=apacheds, C=CN correct?
[no]: yes

Enter key password for <apacheds>
(RETURN if same as keystore password):
Re-enter new password:

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12, which is an industry standard format, using "keytool -importkeystore -srckeystore ads.keystore -destkeystore ads.keystore -deststoretype pkcs12".
## Modify the file user, otherwise, ApacheDS has no permission to read the file
> chown apacheds:apacheds ./ads.keystore

## Export the certificate.
# Password is required. The password is the value set in the previous step, which is 123456
> keytool -export -alias apacheds -keystore ads.keystore -rfc -file apacheds.cer
Enter the keystore password:
Certificate stored in file <apacheds.cer>
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12, which is an industry standard format, using "keytool -importkeystore -srckeystore ads.keystore -destkeystore ads.keystore -deststoretype pkcs12".

## Import the certificate into the system certificate library for self-authentication
>Keytool-import-file apacheds. cer-alias apacheds-keystore/usr/lib/jvm/java-1.8.0/Jre/lib/security/cacerts
> service apacheds-2.0.0-M24-default restart

Create User Information

# Entry for a sample people container
# Please replace with site specific values
dn: ou=people,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:organizationalUnit
ou: people
# Entry for a sample end user
# Please replace with site specific values
dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Guest
sn: User
uid: guest
userPassword: guest-password
# Entry for sample user admin
dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Admin
sn: Admin
uid: admin
userPassword: admin-password
# Entry for sample user sam
dn: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: sam
sn: sam
uid: sam
userPassword: sam-password
# Entry for sample user tom
dn: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: tom
sn: tom
uid: tom
userPassword: tom-password
# Create FIRST Level groups branch
dn: ou=groups,dc=hadoop,dc=apache,dc=org
objectclass: top
objectclass:organizationalUnit
ou: groups
description: generic groups branch
# Create the analyst group under groups
dn: cn=analyst,ou=groups,dc=hadoop,dc=apache,dc=org
objectclass: top
objectclass: groupofnames
cn: analyst
description:analyst group
member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
member: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
# Create the scientist group under groups
dn: cn=scientist,ou=groups,dc=hadoop,dc=apache,dc=org
objectclass: top
objectclass: groupofnames
cn: scientist
description: scientist group
member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=or
> ldapmodify -x -h localhost -p 10389 -D "uid=admin,ou=system" -w {password} -a -f /tmp/users.ldif

Configure Presto

## Generate a keystore using the script that comes with EMR
## Keystore address: /etc/ecm/presto-conf/keystore
# Keystore password : ******
> expect /var/lib/ecm-agent/cache/ecm/service/PRESTO/0.208.0.1.2/package/files/tools/gen-keystore.exp
http-server.https.enabled=true
http-server.https.port=7778
http-server.https.keystore.path=/etc/ecm/presto-conf/keystore
http-server.https.keystore.key=******
http-server.authentication.type=PASSWORD
-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0/jre/lib/security/cacerts-Djavax.net.ssl.trustStorePassword=changeit
password-authenticator.name=ldap
ldap.url=ldaps://emr-header-1.cluster-84423:10636
ldap.user-bind-pattern=uid=${USER},ou=people,dc=hadoop,dc=apache,dc=org
java.naming.security.principal=uid=admin,ou=system
java.naming.security.credentials={password}
java.naming.security.authentication=simple
> jar -cvf jndi-properties.jar jndi.properties
> cp ./jndi-properties.jar /etc/ecm/presto-current/lib/
java.naming.security.principal=uid=admin,ou=system
java.naming.security.credentials={LDAP password}
java.naming.security.authentication=simple

Verify the Configuration

## Using the user ID sam, enter the correct password
> presto --server https://emr-header-1:7778 --keystore-path /etc/ecm/presto-conf/keystore --keystore-password ****** --catalog hive --schema default --user sam --password
Password: <correct password entered>
Presto:default> show schemas;
Schema
----------------------------------
tpcds_bin_partitioned_orc_5
tpcds_oss_bin_partitioned_orc_10
tpcds_oss_text_10
tpcds_text_5
tst
(5 rows)
Query 20181115_030713_00002_kp5ih, FINISHED, 3 nodes
Splits: 36 total, 36 done (100.00%)
0:00 [20 rows, 331B] [41 rows/s, 694B/s]
## Using the user ID sam, enter the wrong password
> presto --server https://emr-header-1:7778 --keystore-path /etc/ecm/presto-conf/keystore --keystore-password ****** --catalog hive --schema default --user sam --password
Password: <wrong password entered>
Presto:default> show schemas;
Error running command: Authentication failed: Access Denied: Invalid credentials

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store