3.1. Coordinator Kerberos Authentication

The Presto coordinator can be configured to enable Kerberos authentication overHTTPS for clients, such as the Presto CLI, or theJDBC and ODBC drivers.

To enable Kerberos authentication for Presto, configuration changes are made onthe Presto coordinator. No changes are required to the worker configuration;the worker nodes will continue to connect to the coordinator overunauthenticated HTTP. However, if you want to secure the communication betweenPresto nodes with SSL/TLS, configure Secure Internal Communication.

Environment Configuration

Kerberos Services

You will need a Kerberos KDC running on anode that the Presto coordinator can reach over the network. The KDC isresponsible for authenticating principals and issuing session keys that can beused with Kerberos-enabled services. KDCs typically run on port 88, which isthe IANA-assigned port for Kerberos.

MIT Kerberos Configuration

Kerberos needs to be configured on the Presto coordinator. At a minimum, there needsto be a kdc entry in the [realms] section of the /etc/krb5.conffile. You may also want to include an admin_server entry and ensure thatthe Presto coordinator can reach the Kerberos admin server on port 749.

  1. [realms]
  2.   PRESTO.EXAMPLE.COM = {
  3.     kdc = kdc.example.com
  4.     admin_server = kdc.example.com
  5.   }
  6.  
  7. [domain_realm]
  8.   .presto.example.com = PRESTO.EXAMPLE.COM
  9.   presto.example.com = PRESTO.EXAMPLE.COM

The complete documentationfor krb5.conf is hosted by the MIT Kerberos Project. If you are using adifferent implementation of the Kerberos protocol, you will need to adapt theconfiguration to your environment.

Kerberos Principals and Keytab Files

The Presto coordinator needs a Kerberos principal, as do users who are going toconnect to the Presto coordinator. You will need to create these users inKerberos using kadmin.

In addition, the Presto coordinator needs a keytab file. After you create the principal, you can create the keytab file using kadmin

  1. kadmin
  2. > addprinc -randkey presto@EXAMPLE.COM
  3. > addprinc -randkey presto/presto-coordinator.example.com@EXAMPLE.COM
  4. > ktadd -k /etc/presto/presto.keytab presto@EXAMPLE.COM
  5. > ktadd -k /etc/presto/presto.keytab presto/presto-coordinator.example.com@EXAMPLE.COM

Note

Running ktadd randomizes the principal’s keys. If you have justcreated the principal, this does not matter. If the principal already exists,and if existing users or services rely on being able to authenticate using apassword or a keytab, use the -norandkey option to ktadd.

Java Cryptography Extension Policy Files

The Java Runtime Environment is shipped with policy files that limit thestrength of the cryptographic keys that can be used. Kerberos, by default, useskeys that are larger than those supported by the included policy files. Thereare two possible solutions to the problem:

  • Update the JCE policy files.
  • Configure Kerberos to use reduced-strength keys.

Of the two options, updating the JCE policy files is recommended. The JCEpolicy files can be downloaded from Oracle. Note that the JCE policy files varybased on the major version of Java you are running. Java 6 policy files willnot work with Java 8, for example.

The Java 8 policy files are available here.Instructions for installing the policy files are included in a README file inthe ZIP archive. You will need administrative access to install the policyfiles if you are installing them in a system JRE.

Java Keystore File for TLS

When using Kerberos authentication, access to the Presto coordinator should bethrough HTTPS. You can do it by creating a Java Keystore File for TLS on thecoordinator.

System Access Control Plugin

A Presto coordinator with Kerberos enabled will probably need aSystem Access Control plugin to achievethe desired level of security.

Presto Coordinator Node Configuration

You must make the above changes to the environment prior to configuring thePresto coordinator to use Kerberos authentication and HTTPS. After making thefollowing environment changes, you can make the changes to the Prestoconfiguration files.

config.properties

Kerberos authentication is configured in the coordinator node’sconfig.properties file. The entries that need to be added are listed below.

  1. http-server.authentication.type=KERBEROS
  2.  
  3. http.server.authentication.krb5.service-name=presto
  4. http.server.authentication.krb5.service-hostname=presto.example.com
  5. http.server.authentication.krb5.keytab=/etc/presto/presto.keytab
  6. http.authentication.krb5.config=/etc/krb5.conf
  7.  
  8. http-server.https.enabled=true
  9. http-server.https.port=7778
  10.  
  11. http-server.https.keystore.path=/etc/presto_keystore.jks
  12. http-server.https.keystore.key=keystore_password
PropertyDescription
http-server.authentication.typeAuthentication type for the Prestocoordinator. Must be set to KERBEROS.
http.server.authentication.krb5.service-nameThe Kerberos service name for the Presto coordinator.Must match the Kerberos principal.
http.server.authentication.krb5.principal-hostnameThe Kerberos hostname for the Presto coordinator.Must match the Kerberos principal. This parameter isoptional. If included, Presto will use this valuein the host part of the Kerberos principal insteadof the machine’s hostname.
http.server.authentication.krb5.keytabThe location of the keytab that can be used toauthenticate the Kerberos principal.
http.authentication.krb5.configThe location of the Kerberos configuration file.
http-server.https.enabledEnables HTTPS access for the Presto coordinator.Should be set to true.
http-server.https.portHTTPS server port.
http-server.https.keystore.pathThe location of the Java Keystore file that will beused to secure TLS.
http-server.https.keystore.keyThe password for the keystore. This must match thepassword you specified when creating the keystore.

Note

Monitor CPU usage on the Presto coordinator after enabling HTTPS. Javaprefers the more CPU-intensive cipher suites if you allow it to choose froma big list. If the CPU usage is unacceptably high after enabling HTTPS,you can configure Java to use specific cipher suites by settingthe http-server.https.included-cipher property to only allowcheap ciphers. Non forward secrecy (FS) ciphers are disabled by default.As a result, if you want to choose non FS ciphers, you need to set thehttp-server.https.excluded-cipher property to an empty list in order tooverride the default exclusions.

  1. http-server.https.included-cipher=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256
  2. http-server.https.excluded-cipher=

The Java documentation lists the supported cipher suites.

access-controls.properties

At a minimum, an access-control.properties file must contain anaccess-control.name property. All other configuration is specificfor the implementation being configured.See System Access Control for details.

Troubleshooting

Getting Kerberos authentication working can be challenging. You canindependently verify some of the configuration outside of Presto to help narrowyour focus when trying to solve a problem.

Kerberos Verification

Ensure that you can connect to the KDC from the Presto coordinator usingtelnet.

  1. $ telnet kdc.example.com 88

Verify that the keytab file can be used to successfully obtain a ticket usingkinit andklist

  1. $ kinit -kt /etc/presto/presto.keytab presto@EXAMPLE.COM
  2. $ klist

Java Keystore File Verification

Verify the password for a keystore file and view its contents usingJava Keystore File Verification

Additional Kerberos Debugging Information

You can enable additional Kerberos debugging information for the Prestocoordinator process by adding the following lines to the Presto jvm.configfile

  1. -Dsun.security.krb5.debug=true
  2. -Dlog.enable-console=true

-Dsun.security.krb5.debug=true enables Kerberos debugging output from theJRE Kerberos libraries. The debugging output goes to stdout, which Prestoredirects to the logging system. -Dlog.enable-console=true enables outputto stdout to appear in the logs.

The amount and usefulness of the information the Kerberos debugging outputsends to the logs varies depending on where the authentication is failing.Exception messages and stack traces can also provide useful clues about thenature of the problem.

Additional resources

Common Kerberos Error Messages (A-M)

Common Kerberos Error Messages (N-Z)

MIT Kerberos Documentation: Troubleshooting