Kerberos credential pass-through#

A number of connectors support credential pass-through. With this feature configured, any user is required to supply their credentials to Trino. These credentials are then used to connect to the underlying data source. As a result, any data access via Trino is subject to the data access restrictions and permissions of the user supplied.

Note

The Kerberos credential pass-through feature is only supported in select connectors. Reference the connectors feature matrix for more information about which connectors support this feature.

Coordinator and worker configuration#

The credential pass-through relies on the usage of Kerberos for authentication. The user information in Kerberos is used for the data access permissions in the connected data sources.

Kerberos usage requires HTTPS, and therefore also requires secure internal communication with a shared secret and FQDN as internal address source.

To use credential pass-through, configure the Trino coordinator and workers in config.properties.

internal-communication.shared-secret=yourSecret
node.internal-address-source=FQDN
http-server.authentication.type=DELEGATED-KERBEROS
http-server.authentication.krb5.service-name=exampleServiceName
http.authentication.krb5.config=/etc/krb5.conf

Optionally, you can configure more details for Kerberos usage with the following properties:

  • http-server.authentication.krb5.keytab=/path/to/Keytab/File

  • http-server.authentication.krb5.principal-hostname=kerberos.example.com

  • http-server.authentication.krb5.name-type, USER_NAME or HOSTBASED_SERVICE

In addition, Kerberos needs to be configured to allow forwarding on the Trino coordinator and worker as well as on the client workstation, e.g. in the /etc/krb5.conf file:

[libdefaults]
  forwardable = true

In order for Kerberos user names to be correctly mapped and translated through Trino to the catalogs, you need to configure the correct user mapping.

Catalog configuration#

As a last step, the authentication type in the catalog properties file needs to be set to KERBEROS_PASS_THROUGH to enable credential pass-through. If the certificate used for HTTPS is not signed by a known certificate authority, supported by the JVM, the path to the trust store file has to be specified in the catalog file using property kerberos-manager.http-client.trust-store-path.

More information about this setting and the necessary Kerberos configuration can be found in the specific connector documentation.