11.13. Credential Passthrough

A number of Presto connectors support credential passthrough. With this feature configured, any user is required to supply their credentials to Presto. These credentials are then used to connect to the underlying data source. As a result, any data access via Presto is subject to the data access restrictions and permissions of the user supplied.

The credential passthrough relies on the usage of Kerberos for authentication over HTTP. The Kerberos data source for user credentials needs to be used for the data access permissoons in the database system.

To use credential passthrough, configure the Presto server to use Kerberos in Config Properties.

http-server.authentication.type=KERBEROS
http.server.authentication.krb5.forwarding-enabled==true

In addition, Kerberos needs to be configured on the Presto server in the /etc/krb5.conf file. The configuration needs to allow forwarding:

[libdefaults]
  forwardable = true

As a last step, the credential passthrough needs to be enabled as authentication type in the configuration for the connector: