-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathserver.html
320 lines (303 loc) · 17.5 KB
/
server.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>3.1. Coordinator Kerberos Authentication — Presto 0.212 Documentation</title>
<link rel="stylesheet" href="../_static/presto.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '0.212',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="top" title="Presto 0.212 Documentation" href="../index.html" />
<link rel="up" title="3. Security" href="../security.html" />
<link rel="next" title="3.2. CLI Kerberos Authentication" href="cli.html" />
<link rel="prev" title="3. Security" href="../security.html" />
</head>
<body role="document">
<div class="header">
<h1 class="heading"><a href="../index.html">
<span>Presto 0.212 Documentation</span></a></h1>
<h2 class="heading"><span>3.1. Coordinator Kerberos Authentication</span></h2>
</div>
<div class="topnav">
<p class="nav">
<span class="left">
« <a href="../security.html">3. Security</a>
</span>
<span class="right">
<a href="cli.html">3.2. CLI Kerberos Authentication</a> »
</span>
</p>
</div>
<div class="content">
<div class="section" id="coordinator-kerberos-authentication">
<h1>3.1. Coordinator Kerberos Authentication</h1>
<p>The Presto coordinator can be configured to enable Kerberos authentication over
HTTPS for clients, such as the <a class="reference internal" href="cli.html"><span class="doc">Presto CLI</span></a>, or the
JDBC and ODBC drivers.</p>
<p>To enable Kerberos authentication for Presto, configuration changes are made on
the Presto coordinator. No changes are required to the worker configuration;
the worker nodes will continue to connect to the coordinator over
unauthenticated HTTP. However, if you want to secure the communication between
Presto nodes with SSL/TLS, configure <a class="reference internal" href="internal-communication.html"><span class="doc">Secure Internal Communication</span></a>.</p>
<div class="section" id="environment-configuration">
<h2>Environment Configuration</h2>
<div class="section" id="kerberos-services">
<span id="server-kerberos-services"></span><h3>Kerberos Services</h3>
<p>You will need a Kerberos <abbr title="Key Distribution Center">KDC</abbr> running on a
node that the Presto coordinator can reach over the network. The KDC is
responsible for authenticating principals and issuing session keys that can be
used with Kerberos-enabled services. KDCs typically run on port 88, which is
the IANA-assigned port for Kerberos.</p>
</div>
<div class="section" id="mit-kerberos-configuration">
<span id="server-kerberos-configuration"></span><h3>MIT Kerberos Configuration</h3>
<p>Kerberos needs to be configured on the Presto coordinator. At a minimum, there needs
to be a <code class="docutils literal"><span class="pre">kdc</span></code> entry in the <code class="docutils literal"><span class="pre">[realms]</span></code> section of the <code class="docutils literal"><span class="pre">/etc/krb5.conf</span></code>
file. You may also want to include an <code class="docutils literal"><span class="pre">admin_server</span></code> entry and ensure that
the Presto coordinator can reach the Kerberos admin server on port 749.</p>
<div class="highlight-none"><div class="highlight"><pre><span></span>[realms]
PRESTO.EXAMPLE.COM = {
kdc = kdc.example.com
admin_server = kdc.example.com
}
[domain_realm]
.presto.example.com = PRESTO.EXAMPLE.COM
presto.example.com = PRESTO.EXAMPLE.COM
</pre></div>
</div>
<p>The complete <a class="reference external" href="http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/kdc_conf.html">documentation</a>
for <code class="docutils literal"><span class="pre">krb5.conf</span></code> is hosted by the MIT Kerberos Project. If you are using a
different implementation of the Kerberos protocol, you will need to adapt the
configuration to your environment.</p>
</div>
<div class="section" id="kerberos-principals-and-keytab-files">
<span id="server-kerberos-principals"></span><h3>Kerberos Principals and Keytab Files</h3>
<p>The Presto coordinator needs a Kerberos principal, as do users who are going to
connect to the Presto coordinator. You will need to create these users in
Kerberos using <a class="reference external" href="http://web.mit.edu/kerberos/krb5-latest/doc/admin/admin_commands/kadmin_local.html">kadmin</a>.</p>
<p>In addition, the Presto coordinator needs a <a class="reference external" href="http://web.mit.edu/kerberos/krb5-devel/doc/basic/keytab_def.html">keytab file</a>. After you create the principal, you can create the keytab file using <strong class="command">kadmin</strong></p>
<div class="highlight-none"><div class="highlight"><pre><span></span>kadmin
> addprinc -randkey presto@EXAMPLE.COM
> addprinc -randkey presto/presto-coordinator.example.com@EXAMPLE.COM
> ktadd -k /etc/presto/presto.keytab presto@EXAMPLE.COM
> ktadd -k /etc/presto/presto.keytab presto/presto-coordinator.example.com@EXAMPLE.COM
</pre></div>
</div>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">Running <strong class="command">ktadd</strong> randomizes the principal’s keys. If you have just
created the principal, this does not matter. If the principal already exists,
and if existing users or services rely on being able to authenticate using a
password or a keytab, use the <code class="docutils literal"><span class="pre">-norandkey</span></code> option to <strong class="command">ktadd</strong>.</p>
</div>
</div>
<div class="section" id="java-cryptography-extension-policy-files">
<h3>Java Cryptography Extension Policy Files</h3>
<p>The Java Runtime Environment is shipped with policy files that limit the
strength of the cryptographic keys that can be used. Kerberos, by default, uses
keys that are larger than those supported by the included policy files. There
are two possible solutions to the problem:</p>
<blockquote>
<div><ul class="simple">
<li>Update the <abbr title="Java Cryptograhy Extension">JCE</abbr> policy files.</li>
<li>Configure Kerberos to use reduced-strength keys.</li>
</ul>
</div></blockquote>
<p>Of the two options, updating the JCE policy files is recommended. The JCE
policy files can be downloaded from Oracle. Note that the JCE policy files vary
based on the major version of Java you are running. Java 6 policy files will
not work with Java 8, for example.</p>
<p>The Java 8 policy files are available <a class="reference external" href="http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html">here</a>.
Instructions for installing the policy files are included in a <code class="docutils literal"><span class="pre">README</span></code> file in
the ZIP archive. You will need administrative access to install the policy
files if you are installing them in a system JRE.</p>
</div>
<div class="section" id="java-keystore-file-for-tls">
<h3>Java Keystore File for TLS</h3>
<p>When using Kerberos authentication, access to the Presto coordinator should be
through HTTPS. You can do it by creating a <a class="reference internal" href="tls.html#server-java-keystore"><span class="std std-ref">Java Keystore File for TLS</span></a> on the
coordinator.</p>
</div>
</div>
<div class="section" id="system-access-control-plugin">
<h2>System Access Control Plugin</h2>
<p>A Presto coordinator with Kerberos enabled will probably need a
<a class="reference internal" href="../develop/system-access-control.html"><span class="doc">System Access Control</span></a> plugin to achieve
the desired level of security.</p>
</div>
<div class="section" id="presto-coordinator-node-configuration">
<h2>Presto Coordinator Node Configuration</h2>
<p>You must make the above changes to the environment prior to configuring the
Presto coordinator to use Kerberos authentication and HTTPS. After making the
following environment changes, you can make the changes to the Presto
configuration files.</p>
<ul class="simple">
<li><a class="reference internal" href="#server-kerberos-services"><span class="std std-ref">Kerberos Services</span></a></li>
<li><a class="reference internal" href="#server-kerberos-configuration"><span class="std std-ref">MIT Kerberos Configuration</span></a></li>
<li><a class="reference internal" href="#server-kerberos-principals"><span class="std std-ref">Kerberos Principals and Keytab Files</span></a></li>
<li><a class="reference internal" href="tls.html#server-java-keystore"><span class="std std-ref">Java Keystore File for TLS</span></a></li>
<li><a class="reference internal" href="../develop/system-access-control.html"><span class="doc">System Access Control Plugin</span></a></li>
</ul>
<div class="section" id="config-properties">
<h3>config.properties</h3>
<p>Kerberos authentication is configured in the coordinator node’s
<code class="file docutils literal"><span class="pre">config.properties</span></code> file. The entries that need to be added are listed below.</p>
<div class="highlight-none"><div class="highlight"><pre><span></span>http-server.authentication.type=KERBEROS
http.server.authentication.krb5.service-name=presto
http.server.authentication.krb5.keytab=/etc/presto/presto.keytab
http.authentication.krb5.config=/etc/krb5.conf
http-server.https.enabled=true
http-server.https.port=7778
http-server.https.keystore.path=/etc/presto_keystore.jks
http-server.https.keystore.key=keystore_password
</pre></div>
</div>
<table border="1" class="docutils">
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal"><span class="pre">http-server.authentication.type</span></code></td>
<td>Authentication type for the Presto
coordinator. Must be set to <code class="docutils literal"><span class="pre">KERBEROS</span></code>.</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal"><span class="pre">http.server.authentication.krb5.service-name</span></code></td>
<td>The Kerberos server name for the Presto coordinator.
Must match the Kerberos principal.</td>
</tr>
<tr class="row-even"><td><code class="docutils literal"><span class="pre">http.server.authentication.krb5.keytab</span></code></td>
<td>The location of the keytab that can be used to
authenticate the Kerberos principal specified in
<code class="docutils literal"><span class="pre">http.server.authentication.krb5.service-name</span></code>.</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal"><span class="pre">http.authentication.krb5.config</span></code></td>
<td>The location of the Kerberos configuration file.</td>
</tr>
<tr class="row-even"><td><code class="docutils literal"><span class="pre">http-server.https.enabled</span></code></td>
<td>Enables HTTPS access for the Presto coordinator.
Should be set to <code class="docutils literal"><span class="pre">true</span></code>.</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal"><span class="pre">http-server.https.port</span></code></td>
<td>HTTPS server port.</td>
</tr>
<tr class="row-even"><td><code class="docutils literal"><span class="pre">http-server.https.keystore.path</span></code></td>
<td>The location of the Java Keystore file that will be
used to secure TLS.</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal"><span class="pre">http-server.https.keystore.key</span></code></td>
<td>The password for the keystore. This must match the
password you specified when creating the keystore.</td>
</tr>
</tbody>
</table>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p>Monitor CPU usage on the Presto coordinator after enabling HTTPS. Java
prefers the more CPU-intensive cipher suites if you allow it to choose from
a big list. If the CPU usage is unacceptably high after enabling HTTPS,
you can configure Java to use specific cipher suites by setting
the <code class="docutils literal"><span class="pre">http-server.https.included-cipher</span></code> property to only allow
cheap ciphers. Non forward secrecy (FS) ciphers are disabled by default.
As a result, if you want to choose non FS ciphers, you need to set the
<code class="docutils literal"><span class="pre">http-server.https.excluded-cipher</span></code> property to an empty list in order to
override the default exclusions.</p>
<div class="highlight-none"><div class="highlight"><pre><span></span>http-server.https.included-cipher=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256
http-server.https.excluded-cipher=
</pre></div>
</div>
<p class="last">The Java documentation lists the <a class="reference external" href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites">supported cipher suites</a>.</p>
</div>
</div>
<div class="section" id="access-controls-properties">
<h3>access-controls.properties</h3>
<p>At a minimum, an <code class="file docutils literal"><span class="pre">access-control.properties</span></code> file must contain an
<code class="docutils literal"><span class="pre">access-control.name</span></code> property. All other configuration is specific
for the implementation being configured.
See <a class="reference internal" href="../develop/system-access-control.html"><span class="doc">System Access Control</span></a> for details.</p>
</div>
</div>
<div class="section" id="troubleshooting">
<span id="coordinator-troubleshooting"></span><h2>Troubleshooting</h2>
<p>Getting Kerberos authentication working can be challenging. You can
independently verify some of the configuration outside of Presto to help narrow
your focus when trying to solve a problem.</p>
<div class="section" id="kerberos-verification">
<h3>Kerberos Verification</h3>
<p>Ensure that you can connect to the KDC from the Presto coordinator using
<strong class="command">telnet</strong>.</p>
<div class="highlight-none"><div class="highlight"><pre><span></span>$ telnet kdc.example.com 88
</pre></div>
</div>
<p>Verify that the keytab file can be used to successfully obtain a ticket using
<a class="reference external" href="http://web.mit.edu/kerberos/krb5-1.12/doc/user/user_commands/kinit.html">kinit</a> and
<a class="reference external" href="http://web.mit.edu/kerberos/krb5-1.12/doc/user/user_commands/klist.html">klist</a></p>
<div class="highlight-none"><div class="highlight"><pre><span></span>$ kinit -kt /etc/presto/presto.keytab presto@EXAMPLE.COM
$ klist
</pre></div>
</div>
</div>
<div class="section" id="java-keystore-file-verification">
<h3>Java Keystore File Verification</h3>
<p>Verify the password for a keystore file and view its contents using
<a class="reference internal" href="tls.html#troubleshooting-keystore"><span class="std std-ref">Java Keystore File Verification</span></a></p>
</div>
<div class="section" id="additional-kerberos-debugging-information">
<h3>Additional Kerberos Debugging Information</h3>
<p>You can enable additional Kerberos debugging information for the Presto
coordinator process by adding the following lines to the Presto <code class="docutils literal"><span class="pre">jvm.config</span></code>
file</p>
<div class="highlight-none"><div class="highlight"><pre><span></span>-Dsun.security.krb5.debug=true
-Dlog.enable-console=true
</pre></div>
</div>
<p><code class="docutils literal"><span class="pre">-Dsun.security.krb5.debug=true</span></code> enables Kerberos debugging output from the
JRE Kerberos libraries. The debugging output goes to <code class="docutils literal"><span class="pre">stdout</span></code>, which Presto
redirects to the logging system. <code class="docutils literal"><span class="pre">-Dlog.enable-console=true</span></code> enables output
to <code class="docutils literal"><span class="pre">stdout</span></code> to appear in the logs.</p>
<p>The amount and usefulness of the information the Kerberos debugging output
sends to the logs varies depending on where the authentication is failing.
Exception messages and stack traces can also provide useful clues about the
nature of the problem.</p>
</div>
<div class="section" id="additional-resources">
<span id="server-additional-resources"></span><h3>Additional resources</h3>
<p><a class="reference external" href="http://docs.oracle.com/cd/E19253-01/816-4557/trouble-6/index.html">Common Kerberos Error Messages (A-M)</a></p>
<p><a class="reference external" href="http://docs.oracle.com/cd/E19253-01/816-4557/trouble-27/index.html">Common Kerberos Error Messages (N-Z)</a></p>
<p><a class="reference external" href="http://web.mit.edu/kerberos/krb5-latest/doc/admin/troubleshoot.html">MIT Kerberos Documentation: Troubleshooting</a></p>
</div>
</div>
</div>
</div>
<div class="bottomnav">
<p class="nav">
<span class="left">
« <a href="../security.html">3. Security</a>
</span>
<span class="right">
<a href="cli.html">3.2. CLI Kerberos Authentication</a> »
</span>
</p>
</div>
<div class="footer" role="contentinfo">
</div>
</body>
</html>