Using ApacheDS to Authenticate Presto Users

Presto service can be connected to LDAP for user password authentication. You only need to connect the Coordinator node to LDAP. The main steps are as follows:

1. Configure ApacheDS, and enable LDAPS

2. Create user information in ApacheDS

3. Configure Presto Coordinator, and restart it for it to work.

4. Verify the configuration

The relevant steps are described in detail below.

Enable LDAPS

1. Create a keystore for the ApacheDS server, where all passwords are set to ‘123456 ‘:

## Create a keystore
> cd /var/lib/apacheds-2.0.0-M24/default/conf/
> keytool -genkeypair -alias apacheds -keyalg RSA -validity 7 -keystore ads.keystore

Enter the keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: apacheds
What is the name of your organizational unit?
[Unknown]: apacheds
What is the name of your organization?
[Unknown]: apacheds
What is the name of your City or Locality?
[Unknown]: apacheds
What is the name of your State or Province?
[Unknown]: apacheds
What is the two-letter country code for this unit?
[Unknown]: CN
Is CN=apacheds, OU=apacheds, O=apacheds, L=apacheds, ST=apacheds, C=CN correct?
[no]: yes

Enter key password for <apacheds>
(RETURN if same as keystore password):
Re-enter new password:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12, which is an industry standard format, using "keytool -importkeystore -srckeystore ads.keystore -destkeystore ads.keystore -deststoretype pkcs12".

2. Modify configuration and enable LDAPs

Open ApacheDS Studio, and link to the ApacheDS service on the cluster:

  • Set the DN to: uid=admin,ou=system
  • The password can be obtained from the EMR console

After linking, open the configuration page, enable LDAPS, set the keystore created in the first step to the relevant configuration, and save (ctrl+s).

3. Restart ApacheDS

Log on to the cluster and run the following command to restart ApacheDS. At this point, LDAPS is started with service port 10636.

ApacheDS Studio has a bug. When you test the LDAPS service connection on the connection property page, a handshake failure is reported. This is mainly caused by the internal default timeout being too short and does not affect actual use.

> service apacheds-2.0.0-M24-default restart

Create User Information

In this example, create related users under DN: dc=hadoop,dc=apache,dc=org.

1. Create a partition dc=hadoop,dc=apache,dc=org

Open the configuration page, make the following configuration, and press ctrl+s to save. Restart ApacheDS for it to take effect.

2. Create the users

Log on to the cluster and create the following file: /tmp/users.ldif

# Entry for a sample people container
# Please replace with site specific values
dn: ou=people,dc=hadoop,dc=apache,dc=org
ou: people

Run the following command to import the users:

> ldapmodify -x -h localhost -p 10389 -D "uid=admin,ou=system" -w {password} -a -f /tmp/users.ldif

Once the execution is complete, the relevant users can be seen on ApacheDS Studio as follows:

Configure Presto

This is mainly divided into two parts:

1. Enable Coordinator HTTPS

Create a keystore for Presto Coordinator

## Generate a keystore using the script that comes with EMR
## Keystore address: /etc/ecm/presto-conf/keystore
# Keystore password : ******
> expect /var/lib/ecm-agent/cache/ecm/service/PRESTO/

Configure Presto Coordinator

Edit the /etc/ecm/presto-conf/ file, and add the following:


2. Configure the authentication mode and access ApacheDS

Edit the /etc/ecm/presto-conf/ file, and add the following:


Edit the jvm.config file, and add the following:

Create the file, and add the following:

Create the file, and add the following:,ou=system{password}

Package the file into a jar package, and copy it to the Presto library file directory

> jar -cvf jndi-properties.jar
> cp ./jndi-properties.jar /etc/ecm/presto-current/lib/
  • The following three parameters are used to log on to the LDAP service. However, these parameters cannot be configured on Presto. When analyzing the source code, there is no reason to embed these parameters into the jvm parameter (they will be filtered out, and it is actually useless):,ou=system{LDAP password}
  • Further analysis of the code reveals that the JNDI library uses classload to load the resource file Therefore, these parameters can be put into the file.
  • The launcher of Presto only adds the jar file to classpath, so you need to compress this file into a jar package, and copy it to the lib directory.

3. Restart Presto. At this point, all configurations are complete

Verify the Configuration

Use presto cli to verify whether the configuration takes effect.

## Using the user ID sam, enter the correct password
> presto --server https://emr-header-1:7778 --keystore-path /etc/ecm/presto-conf/keystore --keystore-password ****** --catalog hive --schema default --user sam --password
Password: <correct password entered>
Presto:default> show schemas;
(5 rows)


Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store