3.3. LDAP Authentication
Presto can be configured to enable frontend LDAP authentication overHTTPS for clients, such as the Presto CLI, or the JDBC and ODBCdrivers. At present only simple LDAP authentication mechanism involvingusername and password is supported. The Presto client sends a usernameand password to the coordinator and coordinator validates thesecredentials using an external LDAP service.
To enable LDAP authentication for Presto, configuration changes are made onthe Presto coordinator. No changes are required to the worker configuration;only the communication from the clients to the coordinator is authenticated.However, if you want to secure the communication betweenPresto nodes with SSL/TLS configure Secure Internal Communication.
Presto Server Configuration
Environment Configuration
Secure LDAP
Presto requires Secure LDAP (LDAPS), so make sure you have TLSenabled on your LDAP server.
TLS Configuration on Presto Coordinator
You need to import the LDAP server’s TLS certificate to the default Javatruststore of the Presto coordinator to secure TLS connection. You can usethe following example keytool command to import the certificateldap_server.crt
, to the truststore on the coordinator.
- $ keytool -import -keystore <JAVA_HOME>/jre/lib/security/cacerts -trustcacerts -alias ldap_server -file ldap_server.crt
In addition to this, access to the Presto coordinator should bethrough HTTPS. You can do it by creating a Java Keystore File for TLS onthe coordinator.
Presto Coordinator Node Configuration
You must make the following changes to the environment prior to configuring thePresto coordinator to use LDAP authentication and HTTPS.
- Secure LDAP- Java Keystore File for TLS
You also need to make changes to the Presto configuration files.LDAP authentication is configured on the coordinator in two parts.The first part is to enable HTTPS support and password authenticationin the coordinator’s config.properties
file. The second part isto configure LDAP as the password authenticator plugin.
Server Config Properties
The following is an example of the required properties that need to be addedto the coordinator’s config.properties
file:
- http-server.authentication.type=PASSWORD
- http-server.https.enabled=true
- http-server.https.port=8443
- http-server.https.keystore.path=/etc/presto_keystore.jks
- http-server.https.keystore.key=keystore_password
Property | Description |
---|---|
http-server.authentication.type |
Enable password authentication for the Prestocoordinator. Must be set to PASSWORD . |
http-server.https.enabled |
Enables HTTPS access for the Presto coordinator.Should be set to true . Default value isfalse . |
http-server.https.port |
HTTPS server port. |
http-server.https.keystore.path |
The location of the Java Keystore file that will beused to secure TLS. |
http-server.https.keystore.key |
The password for the keystore. This must match thepassword you specified when creating the keystore. |
Password Authenticator Configuration
Password authentication needs to be configured to use LDAP. Create anetc/password-authenticator.properties
file on the coordinator. Example:
- password-authenticator.name=ldap
- ldap.url=ldaps://ldap-server:636
- ldap.user-bind-pattern=<Refer below for usage>
Property | Description |
---|---|
ldap.url |
The url to the LDAP server. The url scheme must beldaps:// since Presto allows only Secure LDAP. |
ldap.user-bind-pattern |
This property can be used to specify the LDAP userbind string for password authentication. This propertymust contain the pattern ${USER} which will bereplaced by the actual username during the passwordauthentication. Example: ${USER}@corp.example.com . |
Based on the LDAP server implementation type, the propertyldap.user-bind-pattern
can be used as described below.
Active Directory
- ldap.user-bind-pattern=${USER}@<domain_name_of_the_server>
Example:
- ldap.user-bind-pattern=${USER}@corp.example.com
OpenLDAP
- ldap.user-bind-pattern=uid=${USER},<distinguished_name_of_the_user>
Example:
- ldap.user-bind-pattern=uid=${USER},OU=America,DC=corp,DC=example,DC=com
Authorization based on LDAP Group Membership
You can further restrict the set of users allowed to connect to the Prestocoordinator based on their group membership by setting the optionalldap.group-auth-pattern
and ldap.user-base-dn
properties in additionto the basic LDAP authentication properties.
Property | Description |
---|---|
ldap.user-base-dn |
The base LDAP distinguished name for the userwho tries to connect to the server.Example: OU=America,DC=corp,DC=example,DC=com |
ldap.group-auth-pattern |
This property is used to specify the LDAP query forthe LDAP group membership authorization. This querywill be executed against the LDAP server and ifsuccessful, the user will be authorized.This property must contain a pattern ${USER} which will be replaced by the actual username inthe group authorization search query.See samples below. |
Based on the LDAP server implementation type, the propertyldap.group-auth-pattern
can be used as described below.
Active Directory
- ldap.group-auth-pattern=(&(objectClass=<objectclass_of_user>)(sAMAccountName=${USER})(memberof=<dn_of_the_authorized_group>))
Example:
- ldap.group-auth-pattern=(&(objectClass=person)(sAMAccountName=${USER})(memberof=CN=AuthorizedGroup,OU=Asia,DC=corp,DC=example,DC=com))
OpenLDAP
- ldap.group-auth-pattern=(&(objectClass=<objectclass_of_user>)(uid=${USER})(memberof=<dn_of_the_authorized_group>))
Example:
- ldap.group-auth-pattern=(&(objectClass=inetOrgPerson)(uid=${USER})(memberof=CN=AuthorizedGroup,OU=Asia,DC=corp,DC=example,DC=com))
For OpenLDAP, for this query to work, make sure you enable thememberOf
overlay.
You can also use this property for scenarios where you want to authorize a userbased on complex group authorization search queries. For example, if you want toauthorize a user belonging to any one of multiple groups (in OpenLDAP), thisproperty may be set as follows:
- ldap.group-auth-pattern=(&(|(memberOf=CN=normal_group,DC=corp,DC=com)(memberOf=CN=another_group,DC=com))(objectClass=inetOrgPerson)(uid=${USER}))
Presto CLI
Environment Configuration
TLS Configuration
Access to the Presto coordinator should be through HTTPS when using LDAPauthentication. The Presto CLI can use either a Java Keystore file or Java Truststorefor its TLS configuration.
If you are using keystore file, it can be copied to the client machine and usedfor its TLS configuration. If you are using truststore, you can either usedefault java truststores or create a custom truststore on the CLI. We do notrecommend using self-signed certificates in production.
Presto CLI Execution
In addition to the options that are required when connecting to a Prestocoordinator that does not require LDAP authentication, invoking the CLIwith LDAP support enabled requires a number of additional command lineoptions. You can either use —keystore-
or —truststore-
propertiesto secure TLS connection. The simplest way to invoke the CLI is with awrapper script.
- #!/bin/bash
- ./presto \
- --server https://presto-coordinator.example.com:8443 \
- --keystore-path /tmp/presto.jks \
- --keystore-password password \
- --truststore-path /tmp/presto_truststore.jks \
- --truststore-password password \
- --catalog <catalog> \
- --schema <schema> \
- --user <LDAP user> \
- --password
Option | Description |
---|---|
—server |
The address and port of the Presto coordinator. The port mustbe set to the port the Presto coordinator is listening for HTTPSconnections on. Presto CLI does not support using http scheme forthe url when using LDAP authentication. |
—keystore-path |
The location of the Java Keystore file that will be usedto secure TLS. |
—keystore-password |
The password for the keystore. This must match thepassword you specified when creating the keystore. |
—truststore-path |
The location of the Java Truststore file that will be usedto secure TLS. |
—truststore-password |
The password for the truststore. This must match thepassword you specified when creating the truststore. |
—user |
The LDAP username. For Active Directory this should be yoursAMAccountName and for OpenLDAP this should be the uid ofthe user. This is the username which will beused to replace the ${USER} placeholder pattern in the propertiesspecified in config.properties . |
—password |
Prompts for a password for the user . |
Troubleshooting
Java Keystore File Verification
Verify the password for a keystore file and view its contents usingJava Keystore File Verification.
SSL Debugging for Presto CLI
If you encounter any SSL related errors when running Presto CLI, you can run CLI using -Djavax.net.debug=ssl
parameter for debugging. You should use the Presto CLI executable jar to enable this. Eg:
- java -Djavax.net.debug=ssl \
- -jar \
- presto-cli-<version>-executable.jar \
- --server https://coordinator:8443 \
- <other_cli_arguments>
Common SSL errors
java.security.cert.CertificateException: No subject alternative names present
This error is seen when the Presto coordinator’s certificate is invalid and does not have the IP you providein the —server
argument of the CLI. You will have to regenerate the coordinator’s SSL certificatewith the appropriate SAN added.
Adding a SAN to this certificate is required in cases where https://
uses IP address in the URL ratherthan the domain contained in the coordinator’s certificate, and the certificate does not contain theSAN parameter with the matching IP address as an alternative attribute.