3.6. Secure Internal Communication
The Presto cluster can be configured to use secured communication. Communicationbetween Presto nodes can be secured with SSL/TLS.
Internal SSL/TLS configuration
SSL/TLS is configured in the config.properties
file. The SSL/TLS on theworker and coordinator nodes are configured using the same set of properties.Every node in the cluster must be configured. Nodes that have not beenconfigured, or are configured incorrectly, will not be able to communicate withother nodes in the cluster.
To enable SSL/TLS for Presto internal communication, do the following:
- Disable HTTP endpoint.
- http-server.http.enabled=false
Warning
You can enable HTTPS while leaving HTTP enabled. In most cases this is asecurity hole. If you are certain you want to use this configuration, youshould consider using an firewall to limit access to the HTTP endpoint toonly those hosts that should be allowed to use it.
Configure the cluster to communicate using the fully qualified domain name (fqdn)of the cluster nodes. This can be done in either of the following ways:
- If the DNS service is configured properly, we can just let the nodes tointroduce themselves to the coordinator using the hostname taken fromthe system configuration (
hostname —fqdn
)
- If the DNS service is configured properly, we can just let the nodes tointroduce themselves to the coordinator using the hostname taken fromthe system configuration (
- node.internal-address-source=FQDN
- It is also possible to specify each node’s fully-qualified hostname manually.This will be different for every host. Hosts should be in the same domain tomake it easy to create the correct SSL/TLS certificates.e.g.:
coordinator.example.com
,worker1.example.com
,worker2.example.com
.
- node.internal-address=<node fqdn>
- Generate a Java Keystore File. Every Presto node must be able to connect toany other node within the same cluster. It is possible to create uniquecertificates for every node using the fully-qualified hostname of each host,create a keystore that contains all the public keys for all of the hosts,and specify it for the client (see step #8 below). In most cases it will besimpler to use a wildcard in the certificate as shown below.
- keytool -genkeypair -alias example.com -keyalg RSA -keystore keystore.jksEnter keystore password:Re-enter new password:What is your first and last name? [Unknown]: .example.comWhat is the name of your organizational unit? [Unknown]:What is the name of your organization? [Unknown]:What is the name of your City or Locality? [Unknown]:What is the name of your State or Province? [Unknown]:What is the two-letter country code for this unit? [Unknown]:Is CN=.example.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yesEnter key password for <presto> (RETURN if same as keystore password):
Distribute the Java Keystore File across the Presto cluster.
Enable the HTTPS endpoint.
- http-server.https.enabled=truehttp-server.https.port=<https port>http-server.https.keystore.path=<keystore path>http-server.https.keystore.key=<keystore password>
- Change the discovery uri to HTTPS.
- discovery.uri=https://<coordinator fqdn>:<https port>
- Configure the internal communication to require HTTPS.
- internal-communication.https.required=true
- Configure the internal communication to use the Java keystore file.
- internal-communication.https.keystore.path=<keystore path>internal-communication.https.keystore.key=<keystore password>
Internal SSL/TLS communication with Kerberos
If Kerberos authentication is enabled, specify valid Kerberoscredentials for the internal communication, in addition to the SSL/TLS properties.
- internal-communication.kerberos.enabled=true
Note
The service name and keytab file used for internal Kerberos authentication istaken from server Kerberos authentication properties, documented in Kerberos,http.server.authentication.krb5.service-name
and http.server.authentication.krb5.keytab
respectively. Make sure you have the Kerberos setup done on the worker nodes as well.The Kerberos principal for internal communication is built fromhttp.server.authentication.krb5.service-name
after appending it with the hostname ofthe node where Presto is running on and default realm from Kerberos configuration.
Performance with SSL/TLS enabled
Enabling encryption impacts performance. The performance degradation can varybased on the environment, queries, and concurrency.
For queries that do not require transferring too much data between the Prestonodes (e.g. SELECT count(*) FROM table
), the performance impact is negligible.
However, for CPU intensive queries which require a considerable amount of datato be transferred between the nodes (for example, distributed joins, aggregations andwindow functions, which require repartitioning), the performance impact might beconsiderable. The slowdown may vary from 10% to even 100%+, depending on the networktraffic and the CPU utilization.
Advanced Performance Tuning
In some cases, changing the source of random numbers will improve performancesignificantly.
By default, TLS encryption uses the /dev/urandom
system device as a source of entropy.This device has limited throughput, so on environments with high network bandwidth(e.g. InfiniBand), it may become a bottleneck. In such situations, it is recommended to tryto switch the random number generator algorithm to SHA1PRNG
, by setting it viahttp-server.https.secure-random-algorithm
property in config.properties
on the coordinatorand all of the workers:
- http-server.https.secure-random-algorithm=SHA1PRNG
Be aware that this algorithm takes the initial seed fromthe blocking /dev/random
device. For environments that do not have enough entropy to seedthe SHAPRNG
algorithm, the source can be changed to /dev/urandom
by adding the java.security.egd
property to jvm.config
:
- -Djava.security.egd=file:/dev/urandom