Using ApacheDS to Authenticate Presto Users

Presto service can be connected to LDAP for user password authentication. You only need to connect the Coordinator node to LDAP. The main steps are as follows:

1. Configure ApacheDS, and enable LDAPS

2. Create user information in ApacheDS

3. Configure Presto Coordinator, and restart it for it to work.

4. Verify the configuration

The relevant steps are described in detail below.

Enable LDAPS

1. Create a keystore for the ApacheDS server, where all passwords are set to ‘123456 ‘:

2. Modify configuration and enable LDAPs

Open ApacheDS Studio, and link to the ApacheDS service on the cluster:

  • Set the DN to: uid=admin,ou=system
  • The password can be obtained from the EMR console

After linking, open the configuration page, enable LDAPS, set the keystore created in the first step to the relevant configuration, and save (ctrl+s).

3. Restart ApacheDS

Log on to the cluster and run the following command to restart ApacheDS. At this point, LDAPS is started with service port 10636.

ApacheDS Studio has a bug. When you test the LDAPS service connection on the connection property page, a handshake failure is reported. This is mainly caused by the internal default timeout being too short and does not affect actual use.

Create User Information

In this example, create related users under DN: dc=hadoop,dc=apache,dc=org.

1. Create a partition dc=hadoop,dc=apache,dc=org

Open the configuration page, make the following configuration, and press ctrl+s to save. Restart ApacheDS for it to take effect.

2. Create the users

Log on to the cluster and create the following file: /tmp/users.ldif

Run the following command to import the users:

Once the execution is complete, the relevant users can be seen on ApacheDS Studio as follows:

Configure Presto

This is mainly divided into two parts:

1. Enable Coordinator HTTPS

Create a keystore for Presto Coordinator

Configure Presto Coordinator

Edit the /etc/ecm/presto-conf/config.properties file, and add the following:

2. Configure the authentication mode and access ApacheDS

Edit the /etc/ecm/presto-conf/config.properties file, and add the following:

Edit the jvm.config file, and add the following:

Create the password-authenticator.properties file, and add the following:

Create the jndi.properties file, and add the following:

Package the jndi.properties file into a jar package, and copy it to the Presto library file directory

  • The following three parameters are used to log on to the LDAP service. However, these parameters cannot be configured on Presto. When analyzing the source code, there is no reason to embed these parameters into the jvm parameter (they will be filtered out, and it is actually useless):
  • Further analysis of the code reveals that the JNDI library uses classload to load the resource file jndi.properties. Therefore, these parameters can be put into the jndi.properties file.
  • The launcher of Presto only adds the jar file to classpath, so you need to compress this jndi.properties file into a jar package, and copy it to the lib directory.

3. Restart Presto. At this point, all configurations are complete

Verify the Configuration

Use presto cli to verify whether the configuration takes effect.

Reference:https://www.alibabacloud.com/blog/using-apacheds-to-authenticate-presto-users_594792?spm=a2c41.12883067.0.0

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.