3.2. CLI Kerberos Authentication

The Presto Command Line Interface can connect to a Presto coordinator that has Kerberos authentication enabled.

Environment Configuration

Kerberos Services

You will need a Kerberos KDC running on anode that the client can reach over the network. The KDC isresponsible for authenticating principals and issuing session keys that can beused with Kerberos-enabled services. KDCs typically run on port 88, which isthe IANA-assigned port for Kerberos.

MIT Kerberos Configuration

Kerberos needs to be configured on the client. At a minimum, there needsto be a kdc entry in the [realms] section of the /etc/krb5.conffile. You may also want to include an admin_server entry and ensure thatthe client can reach the Kerberos admin server on port 749.

  1. [realms]
  2.   PRESTO.EXAMPLE.COM = {
  3.     kdc = kdc.example.com
  4.     admin_server = kdc.example.com
  5.   }
  6.  
  7. [domain_realm]
  8.   .presto.example.com = PRESTO.EXAMPLE.COM
  9.   presto.example.com = PRESTO.EXAMPLE.COM

The complete documentationfor krb5.conf is hosted by the MIT Kerberos Project. If you are using adifferent implementation of the Kerberos protocol, you will need to adapt theconfiguration to your environment.

Kerberos Principals and Keytab Files

Each user who connects to the Presto coordinator needs a Kerberos principal.You will need to create these users in Kerberos using kadmin.

Additionally, each user needs a keytab file. Thekeytab file can be created using kadmin after you create theprincipal.

  1. kadmin
  2. > addprinc -randkey someuser@EXAMPLE.COM
  3. > ktadd -k /home/someuser/someuser.keytab someuser@EXAMPLE.COM

Note

Running ktadd randomizes the principal’s keys. If you have justcreated the principal, this does not matter. If the principal already exists,and if existing users or services rely on being able to authenticate using apassword or a keytab, use the -norandkey option to ktadd.

Java Cryptography Extension Policy Files

The Java Runtime Environment is shipped with policy files that limit thestrength of the cryptographic keys that can be used. Kerberos, by default, useskeys that are larger than those supported by the included policy files. Thereare two possible solutions to the problem:

  • Update the JCE policy files.
  • Configure Kerberos to use reduced-strength keys.

Of the two options, updating the JCE policy files is recommended. The JCEpolicy files can be downloaded from Oracle. Note that the JCE policy files varybased on the major version of Java you are running. Java 6 policy files willnot work with Java 8, for example.

The Java 8 policy files are available here.Instructions for installing the policy files are included in a README file inthe ZIP archive. You will need administrative access to install the policyfiles if you are installing them in a system JRE.

Java Keystore File for TLS

Access to the Presto coordinator must be through https when using Kerberosauthentication. The Presto coordinator uses a Java Keystore file for its TLS configuration. This file can becopied to the client machine and used for its configuration.

Presto CLI execution

In addition to the options that are required when connecting to a Prestocoordinator that does not require Kerberos authentication, invoking the CLIwith Kerberos support enabled requires a number of additional command lineoptions. The simplest way to invoke the CLI is with a wrapper script.

  1. #!/bin/bash
  2.  
  3. ./presto \
  4.   --server https://presto-coordinator.example.com:7778 \
  5.   --krb5-config-path /etc/krb5.conf \
  6.   --krb5-principal someuser@EXAMPLE.COM \
  7.   --krb5-keytab-path /home/someuser/someuser.keytab \
  8.   --krb5-remote-service-name presto \
  9.   --keystore-path /tmp/presto.jks \
  10.   --keystore-password password \
  11.   --catalog <catalog> \
  12.   --schema <schema>
OptionDescription
—serverThe address and port of the Presto coordinator. The port mustbe set to the port the Presto coordinator is listening for HTTPSconnections on.
—krb5-config-pathKerberos configuration file.
—krb5-principalThe principal to use when authenticating to the coordinator.
—krb5-keytab-pathThe location of the the keytab that can be used toauthenticate the principal specified by —krb5-principal
—krb5-remote-service-namePresto coordinator Kerberos service name.
—keystore-pathThe location of the Java Keystore file that will be usedto secure TLS.
—keystore-passwordThe password for the keystore. This must match thepassword you specified when creating the keystore.

Troubleshooting

Many of the same steps that can be used when troubleshooting the Prestocoordinator apply to troubleshooting the CLI.

Additional Kerberos Debugging Information

You can enable additional Kerberos debugging information for the Presto CLIprocess by passing -Dsun.security.krb5.debug=true as a JVM argument whenstarting the CLI process. Doing so requires invoking the CLI JAR via javainstead of running the self-executable JAR directly. The self-executable jarfile cannot pass the option to the JVM.

  1. #!/bin/bash
  2.  
  3. java \
  4.   -Dsun.security.krb5.debug=true \
  5.   -jar presto-cli-*-executable.jar \
  6.   --server https://presto-coordinator.example.com:7778 \
  7.   --krb5-config-path /etc/krb5.conf \
  8.   --krb5-principal someuser@EXAMPLE.COM \
  9.   --krb5-keytab-path /home/someuser/someuser.keytab \
  10.   --krb5-remote-service-name presto \
  11.   --keystore-path /tmp/presto.jks \
  12.   --keystore-password password \
  13.   --catalog <catalog> \
  14.   --schema <schema>

The additional resources listed in thedocumentation for setting up Kerberos authentication for the Presto coordinatormay be of help when interpreting the Kerberos debugging messages.