11.14. Starburst Secrets

Presto manages configuration details in static properties files. This configuration needs to include properties such as usernames, passwords and other values, that are often required to be kept secret, and managed only by a few select administrators.

Starburst Secrets allows you to configure Presto to retrieve property values from a Java keystore file. The values are transparently injected to allow Presto to operate as usual. The keystore file can be separately managed and contains the secrets as encrypted values.

Configuration for Starburst Secrets follows a few simple steps.

Java Keystore File

In order to move the secrets to the encrypted, secure location in the keystore file you need create the keystore file and fill it with the desired properties.

In the following example, we replace the value for a connection-password in a connector properties file such as etc/catalog/mydatabase.properties:

connection-password=SuPeRSeCrEtPassWord

You need to decide on an alias name for the secret, mydatabase-password and then use the alias to add the secret with this alias to a keystore file.

Use the keytool command, available as part of your Java installation for working with the keystore file.

keytool -genseckey -alias mydatabase-password -keyalg PBE -keystore presto-keystore.pfx -storetype PKCS12

The above command creates the presto-keystore.pfx file or uses the file in the current directory of that name. After providing the password to the keystore, you can provide the secret value for the alias

To add more secrets, simply repeat the command with another alias value.

Once all secrets are added with the desired alias you can list them:

$ keytool -list -keystore presto-keystore.pfx
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

mydatabase-password, 20-Nov-2019, SecretKeyEntry,
anotherdb-password, 20-Nov-2019, SecretKeyEntry,

Alias Usage in Properties Files

With the passwords now stored in the keystore file using the desired alias names, you have to copy the keystore file to the Presto server, e.g. to etc/catalog/presto-keystore.pfx.

Then replace the secret values in the properties file. The new content of the connector properties file etc/catalog/mydatabase.properties uses the alias referenced as environment value:

connection-password=${env.mydatabase-password}

Activating Keystore as Configuration Source

You need to activate and configure the specific keystore file as a configuration source, to cause Presto to read the information before the loading other configuration files and injecting the values.

Provide all required properties in etc/configuration-source.properties, and restart Presto for the configuration to be used:

keystore.enabled=true
keystore.file-path=etc/catalog/presto-keystore.pfx
keystore.password=password_used_in_presto-keystore.pfx_creation

Properties:

keystore.enabled

Enables or disables the keystore configuration source.

keystore.file-path

Path to the keystore file on the Presto server. The supported extensions are *.pfx, *.p12 and *.jceks.

keystore.password

Password to the keystore. In case of jceks keystores, keys need to be encrypted by the keystore password.

The default path for pre-configuration file location is etc/configuration-source.properties. It can be changed by providing a Java system property -Dpreconfig=/path/to/pre-configuration.properties.