13.3. CLI Kerberos Authentication
The Presto Command Line Interface can connect to a Presto coordinator that has Kerberos authentication enabled.
Environment Configuration
Kerberos Services
You will need a Kerberos KDC running on a node that the client can reach over the network. The KDC is responsible for authenticating principals and issuing session keys that can be used with Kerberos-enabled services. KDCs typically run on port 88, which is the IANA-assigned port for Kerberos.
Kerberos Configuration
Kerberos needs to be configured on the client At a minimum, there needs to be a kdc entry in the [realms] section of the /etc/krb5.conf file. You may also want to include an admin_server entry and ensure that the client can reach the Kerberos admin server on port 749.
[realms]
PRESTO.EXAMPLE.COM = {
kdc = kdc.example.com
admin_server = kdc.example.com
}
[domain_realm]
.presto.example.com = PRESTO.EXAMPLE.COM
presto.example.com = PRESTO.EXAMPLE.COM
The complete documentation for krb5.conf is hosted by the MIT Kerberos Project.
Kerberos Principals and Keytab Files
Each user who connects to the Presto coordinator needs a Kerberos principal. You will need to create these users in Kerberos using kadmin.
Additionally, each user needs a keytab file. The keytab file can be created using kadmin after you create the principal.
kadmin
> addprinc -randkey someuser@EXAMPLE.COM
> ktadd -k /home/someuser/someuser.keytab someuser@EXAMPLE.COM
Note
Running ktadd randomizes the principal’s keys. If you have just created the principal, this does not matter. If the principal already exists, and if existing users or services rely on being able to authenticate using a password or a keytab, use the -norandkey option to ktadd.
Java Cryptography Extension Policy Files
The Java Runtime Environment is shipped with policy files that limit the strengh of the cryptographic keys that can be used. Kerberos, by default, uses keys that are larger than those supported by the included policy files. There are two possible solutions to the problem:
- Update the JCE policy files.
- Configure Kerberos to use reduced-strength keys.
Of the two options, updating the JCE policy files is recommended. The JCE policy files can be downloaded from Oracle. Note that the JCE policy files vary based on the major version of Java you are running. Java 6 policy files will not work with Java 8, for example.
The Java 8 policy files are available here. Instructions for installing the policy files are included in a README file in the zip archive. You will need administrative access to install the policy files if you are installing them in a system JRE.
Java Keystore File for TLS
Access to the Presto coordinator should be through https when using Kerberos authentication. The Presto coordinator uses a Java Keystore file for its TLS configuration. This file can be copied to the client machine and used for its configuration.
Presto CLI execution
In addition to the options that are required when connecting to a Presto coordinator that does not require Kerberos authentication, invoking the CLI with Kerberos support enabled requires a number of additional command line options. The simplest way to invoke the CLI is with a wrapper script.
#!/bin/bash
./presto-cli-*-executable.jar \
--server https://presto-coordinator.example.com:7778 \
--enable-authentication \
--krb5-config-path /etc/krb5.conf \
--krb5-principal someuser@EXAMPLE.COM \
--krb5-keytab-path /home/someuser/someuser.keytab \
--krb5-remote-service-name presto \
--keystore-path /tmp/presto.jks \
--keystore-password password \
--catalog <catalog> \
--schema <schema>
| Option | Description |
|---|---|
| --server | The address and port of the Presto coordinator. The port must be set to the port the Presto coordinator is listening for HTTPS connections on. |
| --enable-authentication | Enables Kerberos authentication. |
| --krb5-config-path | Kerberos configuration file. |
| --krb5-principal | The principal to use when authenticating to the coordinator. |
| --krb5-keytab-path | The location of the the keytab that can be used to authenticate the principal specified by --krb5-principal |
| --krb5-remote-service-name | Presto coordinator Kerberos service name. |
| --keystore-path | The location of the Java Keystore file that will be used to secure TLS. |
| --keystore-password | The password for the keystore. This must match the password you specified when creating the keystore. |
Troubleshooting
Many of the same steps that can be used when troubleshooting the Presto coordinator apply to troubleshooting the CLI.
Additional Kerberos Debugging Information
You can enable additional Kerberos debugging information for the Presto CLI process by passing -Dsun.security.krb5.debug=true as a JVM argument when starting the CLI process. Doing so requires invoking the CLI jar through Java instead of running the self-executable jar directly. The self-executable jar file cannot pass the option to the JVM.
#!/bin/bash
java \
-Dsun.security.krb5.debug=true \
-jar presto-cli-*-executable.jar \
--server https://presto-coordinator.example.com:7778 \
--enable-authentication \
--krb5-config-path /etc/krb5.conf \
--krb5-principal someuser@EXAMPLE.COM \
--krb5-keytab-path /home/someuser/someuser.keytab \
--krb5-remote-service-name presto \
--keystore-path /tmp/presto.jks \
--keystore-password password \
--catalog <catalog> \
--schema <schema>
The additional resources listed in the documentation for setting up Kerberos authentication for the Presto coordinator may be of help when interpreting the Kerberos debugging messages.