-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathcli.html
230 lines (217 loc) · 11.5 KB
/
cli.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>3.2. CLI Kerberos Authentication — Presto 335 Documentation</title>
<link rel="stylesheet" href="../_static/presto.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '335',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true,
SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="3.3. LDAP Authentication" href="ldap.html" />
<link rel="prev" title="3.1. Coordinator Kerberos Authentication" href="server.html" />
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-133457846-1"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-133457846-1');
</script>
</head>
<body>
<div class="header">
<h1 class="heading"><a href="../index.html">
<span>Presto 335 Documentation</span></a></h1>
<h2 class="heading"><span>3.2. CLI Kerberos Authentication</span></h2>
</div>
<div class="topnav">
<p class="nav">
<span class="left">
« <a href="server.html">3.1. Coordinator Kerberos Authentication</a>
</span>
<span class="right">
<a href="ldap.html">3.3. LDAP Authentication</a> »
</span>
</p>
</div>
<div class="content">
<div class="section" id="cli-kerberos-authentication">
<h1>3.2. CLI Kerberos Authentication<a class="headerlink" href="#cli-kerberos-authentication" title="Permalink to this headline">#</a></h1>
<p>The Presto <a class="reference internal" href="../installation/cli.html"><span class="doc">Command Line Interface</span></a> can connect to a <a class="reference internal" href="server.html"><span class="doc">Presto coordinator</span></a>, that has Kerberos authentication enabled.</p>
<div class="section" id="environment-configuration">
<h2>Environment Configuration<a class="headerlink" href="#environment-configuration" title="Permalink to this headline">#</a></h2>
<div class="section" id="kerberos-services">
<h3>Kerberos Services<a class="headerlink" href="#kerberos-services" title="Permalink to this headline">#</a></h3>
<p>You will need a Kerberos <abbr title="Key Distribution Center">KDC</abbr> running on a
node that the client can reach over the network. The KDC is
responsible for authenticating principals and issuing session keys that can be
used with Kerberos-enabled services. KDCs typically run on port 88, which is
the IANA-assigned port for Kerberos.</p>
</div>
<div class="section" id="mit-kerberos-configuration">
<h3>MIT Kerberos Configuration<a class="headerlink" href="#mit-kerberos-configuration" title="Permalink to this headline">#</a></h3>
<p>Kerberos needs to be configured on the client. At a minimum, there needs
to be a <code class="docutils literal"><span class="pre">kdc</span></code> entry in the <code class="docutils literal"><span class="pre">[realms]</span></code> section of the <code class="docutils literal"><span class="pre">/etc/krb5.conf</span></code>
file. You may also want to include an <code class="docutils literal"><span class="pre">admin_server</span></code> entry and ensure that
the client can reach the Kerberos admin server on port 749.</p>
<div class="highlight-none"><div class="highlight"><pre><span></span>[realms]
PRESTO.EXAMPLE.COM = {
kdc = kdc.example.com
admin_server = kdc.example.com
}
[domain_realm]
.presto.example.com = PRESTO.EXAMPLE.COM
presto.example.com = PRESTO.EXAMPLE.COM
</pre></div>
</div>
<p>The complete <a class="reference external" href="http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/kdc_conf.html">documentation</a>
for <code class="docutils literal"><span class="pre">krb5.conf</span></code> is hosted by the MIT Kerberos Project. If you are using a
different implementation of the Kerberos protocol, you will need to adapt the
configuration to your environment.</p>
</div>
<div class="section" id="kerberos-principals-and-keytab-files">
<h3>Kerberos Principals and Keytab Files<a class="headerlink" href="#kerberos-principals-and-keytab-files" title="Permalink to this headline">#</a></h3>
<p>Each user, who connects to the Presto coordinator, needs a Kerberos principal.
You need to create these users in Kerberos using <a class="reference external" href="http://web.mit.edu/kerberos/krb5-latest/doc/admin/admin_commands/kadmin_local.html">kadmin</a>.</p>
<p>Additionally, each user needs a <a class="reference external" href="http://web.mit.edu/kerberos/krb5-devel/doc/basic/keytab_def.html">keytab file</a>. The
keytab file can be created using <strong class="command">kadmin</strong> after you create the
principal.</p>
<div class="highlight-none"><div class="highlight"><pre><span></span>kadmin
> addprinc -randkey someuser@EXAMPLE.COM
> ktadd -k /home/someuser/someuser.keytab someuser@EXAMPLE.COM
</pre></div>
</div>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">Running <strong class="command">ktadd</strong> randomizes the principal’s keys. If you have just
created the principal, this does not matter. If the principal already exists,
and if existing users or services rely on being able to authenticate using a
password or a keytab, use the <code class="docutils literal"><span class="pre">-norandkey</span></code> option to <strong class="command">ktadd</strong>.</p>
</div>
</div>
<div class="section" id="java-keystore-file-for-tls">
<h3>Java Keystore File for TLS<a class="headerlink" href="#java-keystore-file-for-tls" title="Permalink to this headline">#</a></h3>
<p>Access to the Presto coordinator must be through HTTPS when using Kerberos
authentication. The Presto coordinator uses a <a class="reference internal" href="tls.html#server-java-keystore"><span class="std std-ref">Java Keystore</span></a> file for its TLS configuration. This file can be
copied to the client machine and used for its configuration.</p>
</div>
</div>
<div class="section" id="presto-cli-execution">
<h2>Presto CLI execution<a class="headerlink" href="#presto-cli-execution" title="Permalink to this headline">#</a></h2>
<p>In addition to the options that are required when connecting to a Presto
coordinator, that does not require Kerberos authentication, invoking the CLI
with Kerberos support enabled requires a number of additional command line
options. The simplest way to invoke the CLI is with a wrapper script.</p>
<div class="highlight-none"><div class="highlight"><pre><span></span>#!/bin/bash
./presto \
--server https://presto-coordinator.example.com:7778 \
--krb5-config-path /etc/krb5.conf \
--krb5-principal someuser@EXAMPLE.COM \
--krb5-keytab-path /home/someuser/someuser.keytab \
--krb5-remote-service-name presto \
--keystore-path /tmp/presto.jks \
--keystore-password password \
--catalog <catalog> \
--schema <schema>
</pre></div>
</div>
<table border="1" class="docutils">
<colgroup>
<col width="30%" />
<col width="70%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Option</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal"><span class="pre">--server</span></code></td>
<td>The address and port of the Presto coordinator. The port must
be set to the port the Presto coordinator is listening for HTTPS
connections on.</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal"><span class="pre">--krb5-config-path</span></code></td>
<td>Kerberos configuration file.</td>
</tr>
<tr class="row-even"><td><code class="docutils literal"><span class="pre">--krb5-principal</span></code></td>
<td>The principal to use when authenticating to the coordinator.</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal"><span class="pre">--krb5-keytab-path</span></code></td>
<td>The location of the the keytab that can be used to
authenticate the principal specified by <code class="docutils literal"><span class="pre">--krb5-principal</span></code></td>
</tr>
<tr class="row-even"><td><code class="docutils literal"><span class="pre">--krb5-remote-service-name</span></code></td>
<td>Presto coordinator Kerberos service name.</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal"><span class="pre">--keystore-path</span></code></td>
<td>The location of the Java Keystore file that is used
to secure TLS.</td>
</tr>
<tr class="row-even"><td><code class="docutils literal"><span class="pre">--keystore-password</span></code></td>
<td>The password for the keystore. This must match the
password you specified when creating the keystore.</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="troubleshooting">
<h2>Troubleshooting<a class="headerlink" href="#troubleshooting" title="Permalink to this headline">#</a></h2>
<p>Many of the same steps, that can be used when troubleshooting the <a class="reference internal" href="server.html#coordinator-troubleshooting"><span class="std std-ref">Presto
coordinator</span></a>, apply to troubleshooting the CLI.</p>
<div class="section" id="additional-kerberos-debugging-information">
<h3>Additional Kerberos Debugging Information<a class="headerlink" href="#additional-kerberos-debugging-information" title="Permalink to this headline">#</a></h3>
<p>You can enable additional Kerberos debugging information for the Presto CLI
process by passing <code class="docutils literal"><span class="pre">-Dsun.security.krb5.debug=true</span></code> as a JVM argument, when
starting the CLI process. Doing so requires invoking the CLI JAR via <code class="docutils literal"><span class="pre">java</span></code>
instead of running the self-executable JAR directly. The self-executable jar
file cannot pass the option to the JVM.</p>
<div class="highlight-none"><div class="highlight"><pre><span></span>#!/bin/bash
java \
-Dsun.security.krb5.debug=true \
-jar presto-cli-*-executable.jar \
--server https://presto-coordinator.example.com:7778 \
--krb5-config-path /etc/krb5.conf \
--krb5-principal someuser@EXAMPLE.COM \
--krb5-keytab-path /home/someuser/someuser.keytab \
--krb5-remote-service-name presto \
--keystore-path /tmp/presto.jks \
--keystore-password password \
--catalog <catalog> \
--schema <schema>
</pre></div>
</div>
<p>The <a class="reference internal" href="server.html#server-additional-resources"><span class="std std-ref">additional resources</span></a> listed in the
documentation for setting up Kerberos authentication for the Presto coordinator
may be of help when interpreting the Kerberos debugging messages.</p>
</div>
</div>
</div>
</div>
<div class="bottomnav">
<p class="nav">
<span class="left">
« <a href="server.html">3.1. Coordinator Kerberos Authentication</a>
</span>
<span class="right">
<a href="ldap.html">3.3. LDAP Authentication</a> »
</span>
</p>
</div>
<div class="footer" role="contentinfo">
</div>
</body>
</html>