11.14. Starburst Secrets
Presto manages configuration details in static properties files. This configuration needs to include properties such as usernames, passwords and other values, that are often required to be kept secret, and managed only by a few select administrators.
Starburst Secrets allows you to configure Presto to retrieve property values from a Java keystore file. The values are transparently injected to allow Presto to operate as usual. The keystore file can be separately managed and contains the secrets as encrypted values.
Configuration for Starburst Secrets follows a few simple steps.
In order to move the secrets to the encrypted, secure location in the keystore file you need create the keystore file and fill it with the desired properties.
In the following example, we replace the value for a
a connector properties file such as
You need to decide on an alias name for the secret,
then use the alias to add the secret with this alias to a keystore file.
keytool command, available as part of your Java installation for
working with the keystore file.
keytool -genseckey -alias mydatabase-password -keyalg PBE -keystore presto-keystore.pfx -storetype PKCS12
The above command creates the
presto-keystore.pfx file or uses the file in
the current directory of that name. After providing the password to the
keystore, you can provide the secret value for the alias
To add more secrets, simply repeat the command with another alias value.
Once all secrets are added with the desired alias you can list them:
$ keytool -list -keystore presto-keystore.pfx Enter keystore password: Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 2 entries mydatabase-password, 20-Nov-2019, SecretKeyEntry, anotherdb-password, 20-Nov-2019, SecretKeyEntry,
With the passwords now stored in the keystore file using the desired alias
names, you have to copy the keystore file to the Presto server, e.g. to
Then replace the secret values in the properties file. The new content of the
connector properties file
etc/catalog/mydatabase.properties uses the alias
referenced as environment value:
You need to activate and configure the specific keystore file as a configuration source, to cause Presto to read the information before the loading other configuration files and injecting the values.
Provide all required properties in
restart Presto for the configuration to be used:
keystore.enabled=true keystore.file-path=etc/catalog/presto-keystore.pfx keystore.password=password_used_in_presto-keystore.pfx_creation
Enables or disables the keystore configuration source.
Path to the keystore file on the Presto server. The supported extensions are
Password to the keystore. In case of
jcekskeystores, keys need to be encrypted by the keystore password.
The default path for pre-configuration file location is
etc/configuration-source.properties. It can be changed by providing a Java