-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable internal authentification (kerberos) between corrdinator and workers #21679
Comments
Hi @Consultante-yr, I assume you still need kerberos in your coordinator which protects your presto cluster. To disable the internal authentication with kerberos, you only need to remove
|
Hello @yhwang, Thank you for your response. This is my file config in coordinator: ---- discovery server http-server.authentication.type=PASSWORD,KERBEROS ---- ssl/tls http-server.https.enabled=true ---- config query node-scheduler.network-topology=flat And when i tried also to remove internal-communication.kerberos.enabled in the workers, This is my file config in Workers: --- Im a worker --- discovery server http-server.authentication.type=PASSWORD,KERBEROS ---- ssl/tls http-server.https.enabled=true ---- config query node-scheduler.network-topology=flat And for workers, they communicate with the coordinator over HTTPS. I prefer to maintain HTTPS, as changing, it would require adjusting all configurations under load balancers. Any Suggestions, please? Thank you in advance, Best Regards, |
The following suggestion is based on the assumption that you want to disable the Kerberos between the coordinator and workers but still enable Kerberos on the Presto UI: In the coordinator:
Change
Change
You still need HTTP server, so set this value to
Set
Make sure the two settings above are commented out ==================================================== In the workers:
Change to HTTP protocol and use the value from the coordinator. i.e: Then comment out the following settings:
finally, you still need to set up Again, I assume that you only want the Kerberos on the presto UI but no HTTPS and no Kerberos between the coordinator and workers. |
Hello @yhwang, Thank you for you answer. I put the conf on the coordinator and the worker as you mentioned before and effectively the UI which works and the workers connected to it. otherwise if you want the logs I could also send them to you. Thanks in advance, |
@Consultante-yr sorry for the late response. The internal communication works properly on your Presto cluster. I suggest that follow this doc to enable the Kerberos for external communication of the coordinator. I believe you will add the following settings back to your coordinator:
Don't add other settings except those mentioned in the doc. And follow this doc to use the Presto CLI to connect to your Presto coordinator via the HTTPS port. The extra settings you should also apply to the coordinator is to set up firewall rules to only allow HTTP access from worker nodes. This would depend on what system you are using and what firewall tool you are able to install/use. |
Hello @yhwang, My coordinator has this following settings: coordinator=true discovery.uri=http://coordinator.domaine.com:8443 http-server.authentication.type=PASSWORD,KERBEROS http-server.http.enabled=true query.client.timeout=120.00m node-scheduler.network-topology=flat and in the workers: discovery.uri=http://coordinator.domaine.com:8443 http-server.http.enabled=true query.client.timeout=120.00m node-scheduler.network-topology=flat node-scheduler.network-topology=flat And, Now if i add these settings to coordinator: I get this error: "java.net.BindException: Address already in use", because i have already use the port in http protocol. For information before disabling the internal kerberos and before changing discovery.ui to http, the Presto CLI works fine. Thanks in advance, |
Hello,
We have actually Prestodb with this version 0.215, and the internal authentification is configured with kerberos.
We want to disable this authentification because because there are too many Kerberos requests which are beating up the server.
So when i tried to delete this part related to kerberos in config.properties in coordinator and workers:
http-server.authentication.type=PASSWORD,KERBEROS
http.server.authentication.krb5.service-name=xxxxx
http.server.authentication.krb5.keytab=xxxx.keytab
http.authentication.krb5.config=/etc/krb5.conf
internal-communication.kerberos.enabled=true
I no longer have access to the ui and I have 503.
So what's the possibility to do disable the service without impacting the UI Please?
I saw in this link https://prestodb.io/docs/current/security/internal-communication.html#jwt, that i can use JWT but it's not compatible with the version we have.
I saw that i can replace http-server.authentication.type=PASSWORD,KERBEROS with http-erver.authentication.type=PASSWORD or http-erver.authentication.type=PASSWORD, CERTIFICAT but i get this https://coordiantor/v1/info/state returned status 401: Unauthorized"
For information: we use ldaps and tls/ssl in the configuration
Please any idea?
Thank you in advance,
The text was updated successfully, but these errors were encountered: