CLI Kerberos authentication

The Trino Command line interface can connect to a Trino cluster that has Kerberos authentication enabled.

Environment configuration

Kerberos services

You will need a Kerberos KDC running on a node that the client can reach over the network. The KDC is responsible for authenticating principals and issuing session keys that can be used with Kerberos-enabled services. KDCs typically run on port 88, which is the IANA-assigned port for Kerberos.

MIT Kerberos configuration

Kerberos needs to be configured on the client. At a minimum, there needs to be a kdc entry in the [realms] section of the /etc/krb5.conf file. You may also want to include an admin_server entry and ensure that the client can reach the Kerberos admin server on port 749.

[realms]
  TRINO.EXAMPLE.COM = {
    kdc = kdc.example.com
    admin_server = kdc.example.com
  }

[domain_realm]
  .trino.example.com = TRINO.EXAMPLE.COM
  trino.example.com = TRINO.EXAMPLE.COM

The complete documentation for krb5.conf is hosted by the MIT Kerberos Project. If you are using a different implementation of the Kerberos protocol, you will need to adapt the configuration to your environment.

Kerberos principals and keytab files

Each user, who connects to the Trino coordinator, needs a Kerberos principal. You need to create these users in Kerberos using kadmin.

Additionally, each user needs a keytab file. The keytab file can be created using kadmin after you create the principal.

kadmin
> addprinc -randkey someuser@EXAMPLE.COM
> ktadd -k /home/someuser/someuser.keytab someuser@EXAMPLE.COM

Note

Running ktadd randomizes the principal’s keys. If you have just created the principal, this does not matter. If the principal already exists, and if existing users or services rely on being able to authenticate using a password or a keytab, use the -norandkey option to ktadd.

Configuration for TLS

When using Kerberos authentication, access to the Trino coordinator must be through HTTPS. If you have not yet configured TLS/HTTPS for your coordinator, refer to HTTPS and TLS.

Trino CLI execution

Use the Kerberos options to run the CLI.

Troubleshooting

Many of the same steps, that can be used when troubleshooting the Trino coordinator, apply to troubleshooting the CLI.

Additional Kerberos debugging information

You can enable additional Kerberos debugging information for the Trino CLI process by passing -Dsun.security.krb5.debug=true, -Dtrino.client.debugKerberos=true, and -Djava.security.debug=gssloginconfig,configfile,configparser,logincontext as a JVM argument, when starting the CLI process. Doing so requires invoking the CLI JAR via java instead of running the self-executable JAR directly.

#!/bin/bash

java \
  -Dsun.security.krb5.debug=true \
  -Djava.security.debug=gssloginconfig,configfile,configparser,logincontext \
  -Dtrino.client.debugKerberos=true \
  -jar trino-cli-*-executable.jar \
  --server https://trino-coordinator.example.com:7778 \
  --krb5-config-path /etc/krb5.conf \
  --krb5-principal someuser@EXAMPLE.COM \
  --krb5-keytab-path /home/someuser/someuser.keytab \
  --krb5-remote-service-name trino \
  --keystore-path /tmp/trino.jks \
  --keystore-password password \
  --catalog <catalog> \
  --schema <schema>

The additional resources listed in the documentation for setting up Kerberos authentication for the Trino coordinator may be of help when interpreting the Kerberos debugging messages.

See Troubleshooting Security in the Java documentation for more details about the -Djava.security.debug flag, and Troubleshooting for more details about the Java GSS-API and Kerberos issues.