3.1. Coordinator Kerberos Authentication#
Presto can be configured to enable Kerberos authentication over HTTPS for clients, such as the Presto CLI, or the JDBC and ODBC drivers.
To enable Kerberos authentication for Presto, configuration changes are made on the Presto coordinator. No changes are required to the worker configuration. The worker nodes continue to connect to the coordinator over unauthenticated HTTP. However, if you want to secure the communication between Presto nodes with SSL/TLS, configure Secure Internal Communication.
Environment Configuration#
Kerberos Services#
You will need a Kerberos KDC running on a node that the Presto coordinator can reach over the network. The KDC is responsible for authenticating principals and issuing session keys that can be used with Kerberos-enabled services. KDCs typically run on port 88, which is the IANA-assigned port for Kerberos.
MIT Kerberos Configuration#
Kerberos needs to be configured on the Presto coordinator. At a minimum, there needs
to be a kdc entry in the [realms] section of the /etc/krb5.conf
file. You may also want to include an admin_server entry and ensure that
the Presto coordinator can reach the Kerberos admin server on port 749.
[realms]
PRESTO.EXAMPLE.COM = {
kdc = kdc.example.com
admin_server = kdc.example.com
}
[domain_realm]
.presto.example.com = PRESTO.EXAMPLE.COM
presto.example.com = PRESTO.EXAMPLE.COM
The complete documentation
for krb5.conf is hosted by the MIT Kerberos Project. If you are using a
different implementation of the Kerberos protocol, you will need to adapt the
configuration to your environment.
Kerberos Principals and Keytab Files#
The Presto coordinator needs a Kerberos principal, as do users who are going to connect to the Presto coordinator. You need to create these users in Kerberos using kadmin.
In addition, the Presto coordinator needs a keytab file. After you create the principal, you can create the keytab file using kadmin
kadmin
> addprinc -randkey presto@EXAMPLE.COM
> addprinc -randkey presto/presto-coordinator.example.com@EXAMPLE.COM
> ktadd -k /etc/presto/presto.keytab presto@EXAMPLE.COM
> ktadd -k /etc/presto/presto.keytab presto/presto-coordinator.example.com@EXAMPLE.COM
Note
Running ktadd randomizes the principal’s keys. If you have just
created the principal, this does not matter. If the principal already exists,
and if existing users or services rely on being able to authenticate using a
password or a keytab, use the -norandkey option to ktadd.
Java Keystore File for TLS#
When using Kerberos authentication, access to the Presto coordinator should be through HTTPS. You can do it by creating a Java Keystore File for TLS on the coordinator.
System Access Control Plugin#
A Presto coordinator with Kerberos enabled probably needs a System Access Control plugin to achieve the desired level of security.
Presto Coordinator Node Configuration#
You must make the above changes to the environment prior to configuring the Presto coordinator to use Kerberos authentication and HTTPS. After making the following environment changes, you can make the changes to the Presto configuration files.
- Kerberos Services
- MIT Kerberos Configuration
- Kerberos Principals and Keytab Files
- Java Keystore File for TLS
- System Access Control Plugin
config.properties#
Kerberos authentication is configured in the coordinator node’s
config.properties file. The entries that need to be added are listed below.
http-server.authentication.type=KERBEROS
http-server.authentication.krb5.service-name=presto
http-server.authentication.krb5.principal-hostname=presto.prestosql.io
http-server.authentication.krb5.keytab=/etc/presto/presto.keytab
http.authentication.krb5.config=/etc/krb5.conf
http-server.https.enabled=true
http-server.https.port=7778
http-server.https.keystore.path=/etc/presto_keystore.jks
http-server.https.keystore.key=keystore_password
node.internal-address-source=FQDN
| Property | Description |
|---|---|
http-server.authentication.type |
Authentication type for the Presto
coordinator. Must be set to KERBEROS. |
http-server.authentication.krb5.service-name |
The Kerberos service name for the Presto coordinator. Must match the Kerberos principal. |
http-server.authentication.krb5.principal-hostname |
The Kerberos hostname for the Presto coordinator. Must match the Kerberos principal. This parameter is optional. If included, Presto uses this value in the host part of the Kerberos principal instead of the machine’s hostname. |
http-server.authentication.krb5.keytab |
The location of the keytab that can be used to authenticate the Kerberos principal. |
http.authentication.krb5.config |
The location of the Kerberos configuration file. |
http-server.https.enabled |
Enables HTTPS access for the Presto coordinator.
Should be set to true. |
http-server.https.port |
HTTPS server port. |
http-server.https.keystore.path |
The location of the Java Keystore file that is used to secure TLS. |
http-server.https.keystore.key |
The password for the keystore. This must match the password you specified when creating the keystore. |
http-server.authentication.krb5.user-mapping.pattern |
Regex to match against user. If matched, user will be
replaced with first regex group. If not matched,
authentication is denied. Default is (.*). |
http-server.authentication.krb5.user-mapping.file |
File containing rules for mapping user. See User Mapping for more information. |
node.internal-address-source |
Kerberos is typically sensitive to DNS names. Setting
this property to use FQDN ensures correct
operation and usage of valid DNS host names. |
Note
Monitor the CPU usage on the Presto coordinator after enabling HTTPS. Java
prefers the more CPU-intensive cipher suites, if you allow it to choose from
a big list. If the CPU usage is unacceptably high after enabling HTTPS,
you can configure Java to use specific cipher suites by setting
the http-server.https.included-cipher property to only allow
cheap ciphers. Non forward secrecy (FS) ciphers are disabled by default.
As a result, if you want to choose non FS ciphers, you need to set the
http-server.https.excluded-cipher property to an empty list in order to
override the default exclusions.
http-server.https.included-cipher=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256
http-server.https.excluded-cipher=
The Java documentation lists the supported cipher suites.
access-controls.properties#
At a minimum, an access-control.properties file must contain an
access-control.name property. All other configuration is specific
for the implementation being configured.
See System Access Control for details.
User Mapping#
After authenticating with Kerberos, the Presto server receives the user’s principal which is typically similar to
an email address. For example, when alice logs in in Presto might receive alice@example.com. By default,
Presto will use the full Kerberos principal name, but this can be mapped to a shorter name using a user-mapping
pattern. For simple mapping rules, the http-server.authentication.krb5.user-mapping.pattern configuration
property can be set to a Java regular expression, and Presto will use the value of the first matcher group. If the
regular expression does not match, the authentication is denied. For more complex user-mapping rules, see
User Mapping.
Troubleshooting#
Getting Kerberos authentication working can be challenging. You can independently verify some of the configuration outside of Presto, to help narrow your focus when trying to solve a problem.
Kerberos Verification#
Ensure that you can connect to the KDC from the Presto coordinator using telnet.
$ telnet kdc.example.com 88
Verify that the keytab file can be used to successfully obtain a ticket using kinit and klist
$ kinit -kt /etc/presto/presto.keytab presto@EXAMPLE.COM
$ klist
Java Keystore File Verification#
Verify the password for a keystore file and view its contents using Java Keystore File Verification
Additional Kerberos Debugging Information#
You can enable additional Kerberos debugging information for the Presto
coordinator process by adding the following lines to the Presto jvm.config
file
-Dsun.security.krb5.debug=true
-Dlog.enable-console=true
-Dsun.security.krb5.debug=true enables Kerberos debugging output from the
JRE Kerberos libraries. The debugging output goes to stdout, which Presto
redirects to the logging system. -Dlog.enable-console=true enables output
to stdout to appear in the logs.
The amount and usefulness of the information the Kerberos debugging output sends to the logs varies depending on where the authentication is failing. Exception messages and stack traces can provide useful clues about the nature of the problem.