Application support and considerations with LDAP for Amazon EMR - Amazon EMR
Supported applicationsSupported featuresLimitations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Application support and considerations with LDAP for Amazon EMR

Supported applications with LDAP for Amazon EMR

Important

The applications listed on this page are the only applications that Amazon EMR supports for LDAP. To ensure cluster security, you can only include LDAP-compatible applications when you create an EMR cluster with LDAP enabled. If you attempt to install other, unsupported applications, Amazon EMR will reject your request for a new cluster.

The Amazon EMR releases 6.12 and higher support LDAP integration with the following applications:

  • Apache Livy

  • Apache Hive through HiveServer2 (HS2)

  • Trino

  • Presto

  • Hue

You can also install the following applications on an EMR cluster and configure them to meet your security needs:

  • Apache Spark

  • Apache Hadoop

Supported features with LDAP for Amazon EMR

You can use the following Amazon EMR features with the LDAP integration:

Note

To keep LDAP credentials secure, you must use in-transit encryption to secure the flow of data on and off the cluster. For more information about in-transit encryption, see Encrypt data at rest and in transit.

  • Encryption in transit (required) and at rest

  • Instance groups, instance fleets, and Spot Instances

  • Reconfiguration of applications on a running cluster

  • EMRFS server-side encryption (SSE)

Unsupported features

Consider the following limitations when you use the Amazon EMR LDAP integration:

  • Amazon EMR disables steps for clusters with LDAP enabled.

  • Amazon EMR doesn't support runtime roles and Amazon Lake Formation integrations for clusters with LDAP enabled.

  • Amazon EMR doesn't support LDAP with StartTLS.

  • Amazon EMR doesn't support high-availability mode (clusters with multiple primary nodes) for clusters with LDAP enabled.

  • You can't rotate bind credentials or certificates for clusters with LDAP enabled. If any of those fields were rotated, we recommend that you start a new cluster with the updated bind credentials or certificates.

  • You must use exact search bases with LDAP. The LDAP user and group search base doesn't support LDAP search filters.