Kerberos credential pass-through#
A number of connectors support credential pass-through. With this feature configured, any user is required to supply their credentials to Trino. These credentials are then used to connect to the underlying data source. As a result, any data access via Trino is subject to the data access restrictions and permissions of the user supplied.
Note
The Kerberos credential pass-through feature is only supported in select connectors. Reference the connectors feature matrix for more information about which connectors support this feature.
Coordinator and worker configuration#
The credential pass-through relies on the usage of Kerberos for authentication. The user information in Kerberos is used for the data access permissions in the connected data sources.
Kerberos usage requires HTTPS, and therefore also requires secure internal communication with a shared secret and FQDN as internal address source.
To use credential pass-through, configure the Trino coordinator and workers in
config.properties
.
internal-communication.shared-secret=yourSecret
node.internal-address-source=FQDN
http-server.authentication.type=DELEGATED-KERBEROS
http-server.authentication.krb5.service-name=exampleServiceName
http.authentication.krb5.config=/etc/krb5.conf
Optionally, you can configure more details for Kerberos usage with the following properties:
http-server.authentication.krb5.keytab=/path/to/Keytab/File
http-server.authentication.krb5.principal-hostname=kerberos.example.com
http-server.authentication.krb5.name-type
,USER_NAME
orHOSTBASED_SERVICE
In addition, Kerberos needs to be configured to allow forwarding on the Trino
coordinator and worker as well as on the client workstation, e.g. in the
/etc/krb5.conf
file:
[libdefaults]
forwardable = true
In order for Kerberos user names to be correctly mapped and translated through Trino to the catalogs, you need to configure the correct user mapping.
Catalog configuration#
As a last step, the authentication type in the catalog properties file needs to
be set to KERBEROS_PASS_THROUGH
to enable credential pass-through. If the
certificate used for HTTPS is not signed by a known certificate authority,
supported by the JVM, the path to the trust store file has to be specified in
the catalog file using property
kerberos-manager.http-client.trust-store-path
.
More information about this setting and the necessary Kerberos configuration can be found in the specific connector documentation.