Authentication types#
Trino supports multiple authentication types to ensure all users of the system are authenticated. Different authenticators allow user management in one or more systems.
All authentication requires secure connections using TLS and HTTPS or process forwarding enabled, and a configured shared secret.
You can configure one or more authentication types with the
http-server.authentication.type
property. The following authentication types
and authenticators are available:
PASSWORD
forOAUTH2
for OAuth 2.0 authenticationKERBEROS
for Kerberos authenticationCERTIFICATE
for Certificate authenticationJWT
for JWT authenticationHEADER
for Header authenticator
Get started with a basic password authentication configuration backed by a password file:
http-server.authentication.type=PASSWORD
Multiple authentication types#
You can use multiple authentication types, separated with commas in the configuration:
http-server.authentication.type=PASSWORD,CERTIFICATE
Authentication is performed in order of the entries, and first successful authentication results in access, using the mapped user from that authentication method.
Multiple password authenticators#
You can use multiple password authenticator types by referencing multiple configuration files:
http-server.authentication.type=PASSWORD
password-authenticator.config-files=etc/ldap1.properties,etc/ldap2.properties,etc/password.properties
In the preceding example, the configuration files ldap1.properties
and
ldap2.properties
are regular LDAP authenticator configuration files. The password.properties
is a password file authenticator configuration file.
Relative paths to the installation directory or absolute paths can be used.
User authentication credentials are first validated against the LDAP server from
ldap1
, then the separate server from ldap2
, and finally the password
file. First successful authentication results in access, and no further
authenticators are called.
Multiple header authenticators#
You can use multiple header authenticator types by referencing multiple configuration files:
http-server.authentication.type=HEADER
header-authenticator.config-files=etc/xfcc.properties,etc/azureAD.properties
Relative paths to the installation directory or absolute paths can be used.
The pre-configured headers are first validated against the xfcc
authenticator,
then the azureAD
authenticator. First successful authentication results in access,
and no further authenticators are called.