Coordinator Kerberos Authentication

    To enable Kerberos authentication for Presto, configuration changes are made on the Presto coordinator. No changes are required to the worker configuration; the worker nodes will continue to connect to the coordinator over unauthenticated HTTP. However, if you want to secure the communication between Presto nodes with SSL/TLS, configure Secure Internal Communication.

    You will need a Kerberos KDC running on a node that the Presto coordinator can reach over the network. The KDC is responsible for authenticating principals and issuing session keys that can be used with Kerberos-enabled services. KDCs typically run on port 88, which is the IANA-assigned port for Kerberos.

    MIT Kerberos Configuration

    Kerberos needs to be configured on the Presto coordinator. At a minimum, there needs to be a entry in the [realms] section of the /etc/krb5.conf file. You may also want to include an admin_server entry and ensure that the Presto coordinator can reach the Kerberos admin server on port 749.

    The complete documentation for krb5.conf is hosted by the MIT Kerberos Project. If you are using a different implementation of the Kerberos protocol, you will need to adapt the configuration to your environment.

    Kerberos Principals and Keytab Files

    The Presto coordinator needs a Kerberos principal, as do users who are going to connect to the Presto coordinator. You will need to create these users in Kerberos using kadmin.

    In addition, the Presto coordinator needs a . After you create the principal, you can create the keytab file using kadmin

    1. kadmin
    2. > addprinc -randkey presto@EXAMPLE.COM
    3. > addprinc -randkey presto/presto-coordinator.example.com@EXAMPLE.COM
    4. > ktadd -k /etc/presto/presto.keytab presto@EXAMPLE.COM

    Note

    Running ktadd randomizes the principal’s keys. If you have just created the principal, this does not matter. If the principal already exists, and if existing users or services rely on being able to authenticate using a password or a keytab, use the -norandkey option to ktadd.

    The Java Runtime Environment is shipped with policy files that limit the strength of the cryptographic keys that can be used. Kerberos, by default, uses keys that are larger than those supported by the included policy files. There are two possible solutions to the problem:

    Of the two options, updating the JCE policy files is recommended. The JCE policy files can be downloaded from Oracle. Note that the JCE policy files vary based on the major version of Java you are running. Java 6 policy files will not work with Java 8, for example.

    The Java 8 policy files are available here. Instructions for installing the policy files are included in a README file in the ZIP archive. You will need administrative access to install the policy files if you are installing them in a system JRE.

    Java Keystore File for TLS

    When using Kerberos authentication, access to the Presto coordinator should be through HTTPS. You can do it by creating a Java Keystore File for TLS on the coordinator.

    A Presto coordinator with Kerberos enabled will probably need a plugin to achieve the desired level of security.

    You must make the above changes to the environment prior to configuring the Presto coordinator to use Kerberos authentication and HTTPS. After making the following environment changes, you can make the changes to the Presto configuration files.

    config.properties

    Kerberos authentication is configured in the coordinator node’s file. The entries that need to be added are listed below.

    Note

    Monitor CPU usage on the Presto coordinator after enabling HTTPS. Java prefers the more CPU-intensive cipher suites if you allow it to choose from a big list. If the CPU usage is unacceptably high after enabling HTTPS, you can configure Java to use specific cipher suites by setting the property to only allow cheap ciphers. Non forward secrecy (FS) ciphers are disabled by default. As a result, if you want to choose non FS ciphers, you need to set the http-server.https.excluded-cipher property to an empty list in order to override the default exclusions.

    1. http-server.https.included-cipher=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256
    2. http-server.https.excluded-cipher=

    The Java documentation lists the .

    At a minimum, an access-control.properties file must contain an access-control.name property. All other configuration is specific for the implementation being configured. See System Access Control for details.

    Getting Kerberos authentication working can be challenging. You can independently verify some of the configuration outside of Presto to help narrow your focus when trying to solve a problem.

    Kerberos Verification

    Ensure that you can connect to the KDC from the Presto coordinator using telnet.

    Verify that the keytab file can be used to successfully obtain a ticket using kinit and 

    1. $ klist

    Java Keystore File Verification

    Verify the password for a keystore file and view its contents using

    You can enable additional Kerberos debugging information for the Presto coordinator process by adding the following lines to the Presto jvm.config file

    -Dsun.security.krb5.debug=true enables Kerberos debugging output from the JRE Kerberos libraries. The debugging output goes to stdout, which Presto redirects to the logging system. -Dlog.enable-console=true enables output to to appear in the logs.

    The amount and usefulness of the information the Kerberos debugging output sends to the logs varies depending on where the authentication is failing. Exception messages and stack traces can also provide useful clues about the nature of the problem.

    Additional resources

    Common Kerberos Error Messages (N-Z)