CLI Kerberos Authentication

    You will need a Kerberos KDC running on a node that the client can reach over the network. The KDC is responsible for authenticating principals and issuing session keys that can be used with Kerberos-enabled services. KDCs typically run on port 88, which is the IANA-assigned port for Kerberos.

    MIT Kerberos Configuration

    Kerberos needs to be configured on the client. At a minimum, there needs to be a entry in the [realms] section of the /etc/krb5.conf file. You may also want to include an admin_server entry and ensure that the client can reach the Kerberos admin server on port 749.

    The complete for krb5.conf is hosted by the MIT Kerberos Project. If you are using a different implementation of the Kerberos protocol, you will need to adapt the configuration to your environment.

    Each user who connects to the Presto coordinator needs a Kerberos principal. You will need to create these users in Kerberos using kadmin.

    Additionally, each user needs a . The keytab file can be created using kadmin after you create the principal.

    Note

    Running ktadd randomizes the principal’s keys. If you have just created the principal, this does not matter. If the principal already exists, and if existing users or services rely on being able to authenticate using a password or a keytab, use the option to ktadd.

    Java Cryptography Extension Policy Files

    The Java Runtime Environment is shipped with policy files that limit the strength of the cryptographic keys that can be used. Kerberos, by default, uses keys that are larger than those supported by the included policy files. There are two possible solutions to the problem:

    The Java 8 policy files are available . Instructions for installing the policy files are included in a README file in the ZIP archive. You will need administrative access to install the policy files if you are installing them in a system JRE.

    Access to the Presto coordinator must be through https when using Kerberos authentication. The Presto coordinator uses a Java Keystore file for its TLS configuration. This file can be copied to the client machine and used for its configuration.

    In addition to the options that are required when connecting to a Presto coordinator that does not require Kerberos authentication, invoking the CLI with Kerberos support enabled requires a number of additional command line options. The simplest way to invoke the CLI is with a wrapper script.

    Many of the same steps that can be used when troubleshooting the apply to troubleshooting the CLI.

    Additional Kerberos Debugging Information

    You can enable additional Kerberos debugging information for the Presto CLI process by passing as a JVM argument when starting the CLI process. Doing so requires invoking the CLI JAR via java instead of running the self-executable JAR directly. The self-executable jar file cannot pass the option to the JVM.