7.18. Kerberos Credential Passthrough#

A number of connectors support credential passthrough. With this feature configured, any user is required to supply their credentials to Presto. These credentials are then used to connect to the underlying data source. As a result, any data access via Presto is subject to the data access restrictions and permissions of the user supplied.

Coordinator and Worker Configuration#

The credential passthrough relies on the usage of Kerberos for authentication. The user information in Kerberos is used for the data access permissions in the connected data sources.

Kerberos usage requires HTTPS, and therefore also requires secure internal communication with a shared secret and FQDN as internal address source.

To use credential passthrough, configure the Presto coordinator and workers in config.properties.

internal-communication.shared-secret=yourSecret
node.internal-address-source=FQDN
http-server.authentication.type=DELEGATED-KERBEROS
http-server.authentication.krb5.service-name=exampleServiceName
http.authentication.krb5.config=/etc/krb5.conf

Optionally, you can configure more details for Kerberos usage with the following properties:

  • http-server.authentication.krb5.keytab=/path/to/Keytab/File

  • http-server.authentication.krb5.principal-hostname=kerberos.example.com

  • http-server.authentication.krb5.name-type, USER_NAME or HOSTBASED_SERVICE

In addition, Kerberos needs to be configured to allow forwarding on the Presto coordinator and worker as well as on the client workstation, e.g. in the /etc/krb5.conf file:

[libdefaults]
  forwardable = true

In order for Kerberos user names to be correctly mapped and translated through Presto to the catalogs, you need to configure the correct user mapping.

Catalog Configuration#

As a last step, the authentication type in the catalog properties file needs to be set to KERBEROS_PASS_THROUGH to enable credential passthrough. If the certificate used for HTTPS is not signed by a known certificate authority, supported by the JVM, the path to the trust store file has to be specified in the catalog file using property kerberos-manager.http-client.trust-store-path.

More information about this setting and the necessary Kerberos configuration can be found with the documentation for the connectors: