Kerberos authentication in Trino
Kerberos authentication pipeline for Trino requires performing several additional actions which depend on whether the Trino Ranger plugin is enabled or not. This articles demonstrates the differences of the approaches.
To setup Kerberos authentication for Trino, follow the steps below:
-
Activate SSL for your ADH cluster.
-
Enable Kerberos for your ADH cluster.
-
Go to the Trino Coordinator component settings and edit the user-mapping.json file parameter so that its contents are as follows:
{ "rules": [ { "pattern": "(.+)@(.*)" }, { "pattern": "^(.*?)/.*$" } ] } -
Configure impersonation settings.
-
In Ranger, create a user for the Kerberos principal that will be executing Trino CLI commands.
-
Add that user to the
all - trinouser,all - catalog, schema, table, column, andall - queryidpolicies in Trino.
On the Trino configuration page in ADCM, expand the access-control.properties parameter group and edit the rules_json_patter parameter so that it includes permissions for impersonation and catalogs, for example:
{
"system": {
"impersonation": [
{
"user": "<user with permissions, like `trino`>",
"allow": {
"user": "<user who will run trino-cli>"
}
}
]
},
"catalogs": [
{
"role": "admin",
"catalog": "hive-adh",
"allow": "all"
},
{
"user": "trino",
"catalog": "iceberg-adh",
"allow": "all"
},
{
"user": "<user who will run trino-cli>",
"catalog": "iceberg-adh",
"allow": "all"
}
]
}Check that everything works correctly by running a Trino CLI command:
$ trino --execute 'select * from "hive-adh"."default"."solar_objects";'The output is expected to be the table’s content:
"1","Sun","1989100000","1392000" "2","Mercury","330","4879" "3","Venus","4867","12104" "4","Earth","5972","12742" "5","Mars","642","6780" "6","Jupiter","1898187","139822" "7","Saturn","568317","116464" "8","Uranus","86813","50724" "9","Neptune","102413","49244"