官网:
https://help.aliyun.com/document_detail/62675.html?spm=5176.11065259.1996646101.searchclickresult.3f03c8e7LDHk9O&aly_as=WO9lToO-
新建emr集群,集群默认是 Apache Directory Server 的 LDAP
使用集群中的 LDAP 服务
方式一(推荐)
在用户管理中直接添加 Knox 访问账号
在用户管理里开启,选定一个帐号,点knox密码,然后用这个用户登录就可以了.
方式二
1/ SSH 登录到集群上,详细步骤请参见SSH登录集群。
su knox
cd /usr/lib/knox-current/templates
vi users.ldif
例子:
vi users.ldif
dn: uid=emr-guest,ou=people,o=emr objectclass:top objectclass:person objectclass:organizationalPerson objectclass:inetOrgPerson cn: EMR GUEST sn: User uid: emr-guest userPassword:emr-guest-password
将文件中所有的 emr-guest 替换为 Tom,将 cn:EMR GUEST 替换为 cn:Tom,设置 userPassword 的值为您自己的密码。
2/ 导入到 LDAP。
su knox
cd /usr/lib/knox-current/templates
sh ldap-sample-users.sh
添加新用户之后默认需要1小时才会自动同步过来,如果想立即看到新增的用户,需要控制台重启Ranger usersy
#之后再访问emr的url时就能输入刚建好的ldap帐号和密码访问.
hiveserver2开启ldap:
https://help.aliyun.com/document_detail/138966.html?spm=5176.11065259.1996646101.searchclickresult.6a1869d6XseOBO
#在hive中的配置-->hiveserver2-site-->自定义配置中添加,
添加后保存,然后重启hiverserver2
hive.server2.authentication LDAP
#格式为ldap://${emr-header-1-hostname}:10389,变量在emr-header-1上执行hostname命令获取
hive.server2.authentication.ldap.url ldap://emr-header-1.cluster-635:10389
hive.server2.authentication.ldap.baseDN ou=people,o=emr
验证:
beeline
!connect jdbc:hive2://10.52.5.190:10000
!connect jdbc:hive2://localhost:10000
#需要输入错误ldap帐号密码不能访问:
beeline> !connect jdbc:hive2://localhost:10000
Connecting to jdbc:hive2://localhost:10000
Enter username for jdbc:hive2://localhost:10000: kudu
Enter password for jdbc:hive2://localhost:10000: *****
20/02/10 11:44:33 INFO [main] Utils: Supplied authorities: localhost:10000
20/02/10 11:44:33 INFO [main] Utils: Resolved authority: localhost:10000
20/02/10 11:44:33 WARN [main] HiveConnection: Failed to connect to localhost:10000
Unknown HS2 problem when communicating with Thrift server.
Error: Could not open client transport with JDBC Uri: jdbc:hive2://localhost:10000: Peer indicated failure: Error validating the login (state=08S01,code=0)
Impala配置ldap:
开源配置:
https://my.oschina.net/guol/blog/887915
CDH配置:
https://cloud.tencent.com/developer/article/1078631
impala集成ldap
https://www.iteye.com/blog/lookqlp-2165135
#仔细看看
https://www.iteye.com/blog/lookqlp-2165135
#因为EMR控制台中impala没有自定义配置按钮,所以只能修改模板
在所有节点修改模板配置件,添加ldap相关配置信息
vim /var/lib/ecmagent/cache/ecm/service/IMPALA/2.12.2.0.1.5/package/templates/impalad.flgs
在该配置件结尾添加如下配置内容:
-enable_ldap_auth=true
-ldap_baseDN=ou=people,o=emr
-ldap_passwords_in_clear_ok=true
-ldap_uri=ldap://emr-header-1:10389
配置完成后在EMR控制台重启Impala,之后使用如下命令进行测试:
如下直接输入impala-shell会连接不上
impala-shell
如下输入为ldap用户名(knox用户名),输入密码后能正确登录:
impala-shell -l -u <username> --auth_creds_ok_in_clear
或:
impala-shell -i localhost:21000 -l -u kudu --ldap_password_cmd="echo -n Kudu123456" --auth_creds_ok_in_clear
impala-shell -i localhost:21000 -l -u kudu --auth_creds_ok_in_clear
impala-shell -i 127.0.0.1:21000 -u kudu -l --auth_creds_ok_in_clear
同时重启服务后可以看到:
模板中的配置已同步到/etc/ecm/impala-conf/impalad.flgs
注意:
有时在编辑templates下文件,vim xxx时被迫中断后的临时文件会影响控制台impala服务的重启
cd /var/lib/ecm-agent/cache/ecm/service/IMPALA/2.12.2.0.1.5/package/templates
ll -lrta ./*
rm -rf ./.*.swo
之后再重启impala服务
附:
手动启动impala服务:
su impala
/usr/lib/impala-current/sbin/catalogd start
/usr/lib/impala-current/sbin/statestored start
查看emr的impala日志
less /mnt/disk1/log/impala/launch-impala-catalogd.log
less /mnt/disk1/log/impala/catalogd.ERROR
less /mnt/disk1/log/impala/launch-impala-statestored.log
less /mnt/disk1/log/impala/statestored.INFO
less /mnt/disk1/log/impala/statestored.ERROR
ps -aux | grep 24761
netstat -nap | grep impa
env | grep JAVA