Kerberos Authentication#
Enable Kerberos authentication on the coordinator.
Usage#
Module Uses Persistent Storage
This module uses named volumes to persist data. To delete these volumes, run:
minitrino remove --volumes --module ${module}
Provision the module:
minitrino provision -m kerberos
Connect to the coordinator container’s Trino CLI:
minitrino exec -i 'trino-cli'
Connect to the coordinator using Kerberos authentication:
kinit -k -t \
/etc/${CLUSTER_DIST}/krb5/keytabs/admin.keytab \
admin@MINITRINO.COM
klist
trino-cli \
--user admin --insecure --debug \
--server https://minitrino-${CLUSTER_NAME}:8443 \
--krb5-principal admin@MINITRINO.COM \
--krb5-config-path /etc/${CLUSTER_DIST}/krb5/krb5.conf \
--krb5-keytab-path /etc/${CLUSTER_DIST}/krb5/keytabs/admin.keytab \
--krb5-remote-service-name HTTP
Confirm authentication succeeded:
SELECT current_user;
This should return the user:
admin
The pattern can be used for any of the Kerberos principals defined in the table below.
kinit -k -t \
/etc/${CLUSTER_DIST}/krb5/keytabs/${USER}.keytab \
${USER}@MINITRINO.COM
klist
trino-cli \
--user ${USER} --insecure --debug \
--server https://minitrino-${CLUSTER_NAME}:8443 \
--krb5-principal ${USER}@MINITRINO.COM \
--krb5-config-path /etc/${CLUSTER_DIST}/krb5/krb5.conf \
--krb5-keytab-path /etc/${CLUSTER_DIST}/krb5/keytabs/${USER}.keytab \
--krb5-remote-service-name HTTP
Valid Kerberos Principals#
Principal |
Keytab |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
User Mapping#
The Kerberos principal is mapped to the Trino user via the
http-server.authentication.krb5.user-mapping.pattern configuration property.
This ensures that the “normal” username resolves to ensure proper integration
with other modules, e.g. group providers and access control modules.
Principal |
User |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Dependent Modules#
tls: Required for securing credentials in transit.