As Amazon EMR continues its widespread adoption, it’s important to enforce separation of duties using role-based access when submitting your hive jobs on EMR clusters in multi-tenant environments. In this post, we walk through the steps to set up authentication for Hive using Lightweight Directory Access Protocol (LDAP) and Microsoft Active Directory Domain Controller.
In a multi-tenant environment, it’s critical to enforce role-based access when submitting Hive jobs to an EMR cluster. Although you may add Hive steps to an existing cluster, such a setup doesn’t enforce role-based access, because Amazon EMR steps are always submitted using the default Hive user. The default way of submitting a Hive job to an EMR cluster is by using the Add Step functionality. This post outlines the process by which you can enforce EMRFS role mappings when an active directory user submits a Hive job after authenticating via LDAP and Microsoft Active Directory Domain Controller. The following diagram illustrates the provisioned infrastructure from AWS CloudFormation.
The following AWS services are used as part of the recommended solution:
- AWS Secrets Manager – AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
- Amazon EMR – Amazon EMR makes it easy to process large amounts of data efficiently. Amazon EMR uses Hadoop processing combined with several AWS products to do tasks such as web indexing, data mining, log file analysis, machine learning, scientific simulation, and data warehousing.
- Amazon EC2 – Amazon Elastic Compute Cloud (Amazon EC2) provides secure, resizable compute capacity in the cloud. It’s designed to make web-scale cloud computing easier for developers.
In our solution (as we discuss it in this post), the corporate user base is maintained in the Microsoft Active Directory Domain Controller. The EMR cluster is integrated with AD using a bootstrap action so that you can securely submit Hive jobs using a beeline by establishing an LDAP connection from an edge node (represented by an EC2 instance). The user credentials are stored in and fetched from Secrets Manager, when establishing the beeline connection.
Before getting started, you must have the following prerequisites:
- Microsoft Active Directory Domain Controller needs to be installed and set up. For a quick setup of Microsoft Active Directory Domain Controller and VPC, see the step Launch and configure an Active Directory domain controller in the Deploying each component individually section of the post Implement perimeter security in Amazon EMR using Apache Knox.
- A valid AWS account with access to AWS services.
- An Amazon VPC with a public subnet.
- An AWS Identity and Access Management (IAM) policy for Secrets Manager permissions.
Implementing the solution
We provide the CloudFormation template in this post as a general guide. Please review and customize it as needed. You should also be aware that some of the resources deployed by this stack incur costs when they remain in use. The CloudFormation template has the following steps:
- Start an EMR cluster with the configuration from the parameters.
- Integrate the EMR cluster with AD using a bootstrap action.
- Create and launch an EC2 instance to test the integration.
- Add an inbound rule to the Amazon EMR primary additional security group to allow port 10000 on the newly launched EC2 instance.
This section describes how to use the Cloud Formation templates to launch an EMR cluster with the following parameters:
|ClusterName||emr-ldap4hive||The name of the cluster.|
|CoreInstanceType||m4.xlarge||The instance type of the nodes.|
|CoreNodeCount||2||The number of nodes in the cluster.|
|CreateLogBucket||FALSE||A Boolean flag to see if we need to set up a bucket for logs.|
|KeyPair||Key pair used to log in to the EC2 instance for validation.|
|MasterInstanceType||m4.xlarge||The instance type of the nodes.|
|ReleaseLabel||emr-6.0.0||Amazon EMR version. This template is tested with emr-6.0.0 or emr-5.29.0.|
|RemoteAccessCIDR||The CIDR range to access Amazon EMR. This is usually the same as the IP address of the local machine.|
|VPCID||VPC ID used in Amazon EMR configuration. Make sure you select a public VPC.|
|SubnetId||Subnet ID used in Amazon EMR configuration. Make sure you select the subnet that belongs to the VPC selected.|
|ldapurl||The LDAP URL of the AD domain controller, in the format ldap://<Private IP of AD domain controller>:389. Please refer to the first item in the Prerequisites section.|
|passwd4awsadmin||[email protected]||The AD admin password. Must be at least eight characters containing letters, numbers, and symbols.|
|EC2 AMI||ami-0ac80df6eff0e70b5||The AMI used to create the EC2 instance for validation.|
|My IP||The IP address of the local machine.|
The following screenshot shows the Specify stack details page when launching your template.
A bootstrap script ldap-bootstrap.sh is invoked during the cluster creation to perform the following actions:
- Fetch the login credentials for the Active Directory domain admin from Secrets Manager
- Perform the realm join using the credentials fetched
- Enable password-based authentication to the cluster
To deploy the template into your account, choose Launch Stack:
The following screenshot shows the EMR cluster the Cloud Formation stack created.
Validating the solution
To validate the solution, SSH to the Ubuntu EC2 instance using the EC2 key pair, as shown in the following screenshot. Refer to the Outputs tab from your AWS CloudFormation stack.
For this post, we used the Ubuntu Server 18.04 LTS (HVM), SSD Volume Type – ami-07ebfd5b3428b6f4d (64-bit x86) / ami-0400a1104d5b9caa1 (64-bit Arm) AMI.
You should see the Python Hive beeline script in /home/ubuntu:
Run demo-hive-beeline.py as shown in the following screenshot. This Python script fetches the AD credentials from Secrets Manager, establishes a beeline connection for Hive on Amazon EMR, submits Hive commands to create an external table for the NYC taxi dataset located in your Amazon Simple Storage Service (Amazon S3) bucket, and runs a sample select statement on the table.
The script has the following parameters:
- -r or –region_name – AWS Region
- -s or –secret-id – Secret ARN
- -h or –host-name – Amazon EMR public DNS address
Delete the CloudFormation stack to clean up all the resources created in this post. Also, stop the EC2 Ubuntu instance that you created in the verification step. If you used the nested stack, AWS CloudFormation deletes all resources in one operation. If you deployed the templates individually, delete them in the reverse order of creation, deleting the VPC stack last.
In this post, we went through the setup and validation of LDAP authentication for Hive using an EMR cluster. This decouples the authentication mechanism from Hive and Amazon EMR and leverages the system of record using LDAP and Active Directory Domain Controller.
About the authors
Kiran Erra is a data architect with AWS. He works with AWS customers to provide guidance and technical assistance about Big Data, AI/ML and Security projects, helping them improve the value of their solutions when using AWS.
Rajarao Vijjapu is a security data architect with AWS. He works with AWS customers and partners to provide guidance and technical assistance about Big Data, Analytics, AI/ML and Security projects, helping them improve the value of their solutions when using AWS.