Make service principal hostname configurable in Kerberos auth

presto-docs/src/main/sphinx/security/server.rst

@@ -87,6 +87,7 @@ Kerberos authentication is configured in the coordinator node's
     http-server.authentication.type=KERBEROS
 
     http.server.authentication.krb5.service-name=presto
+    http.server.authentication.krb5.host-name=presto.prestosql.io
     http.server.authentication.krb5.keytab=/etc/presto/presto.keytab
     http.authentication.krb5.config=/etc/krb5.conf
 
@@ -101,11 +102,15 @@ Property                                                Description
 ======================================================= ======================================================
 ``http-server.authentication.type``                     Authentication type for the Presto
                                                         coordinator. Must be set to ``KERBEROS``.
-``http.server.authentication.krb5.service-name``        The Kerberos server name for the Presto coordinator.
+``http.server.authentication.krb5.service-name``        The Kerberos service name for the Presto coordinator.
                                                         Must match the Kerberos principal.
+``http.server.authentication.krb5.principal-hostname``  The Kerberos hostname for the Presto coordinator.
+                                                        Must match the Kerberos principal. This parameter is
+                                                        optional. If included, Presto will use this value
+                                                        in the host part of the Kerberos principal instead
+                                                        of the machine's hostname.
 ``http.server.authentication.krb5.keytab``              The location of the keytab that can be used to
-                                                        authenticate the Kerberos principal specified in
-                                                        ``http.server.authentication.krb5.service-name``.
+                                                        authenticate the Kerberos principal.
 ``http.authentication.krb5.config``                     The location of the Kerberos configuration file.
 ``http-server.https.enabled``                           Enables HTTPS access for the Presto coordinator.
                                                         Should be set to ``true``.

presto-main/src/main/java/io/prestosql/server/security/KerberosAuthenticator.java

@@ -64,7 +64,10 @@ public KerberosAuthenticator(KerberosConfig config)
         System.setProperty("java.security.krb5.conf", config.getKerberosConfig().getAbsolutePath());
 
         try {
-            String hostname = InetAddress.getLocalHost().getCanonicalHostName().toLowerCase(Locale.US);
+            String hostname = Optional.ofNullable(config.getPrincipalHostname())
+                    .orElseGet(() -> getLocalHost().getCanonicalHostName())
+                    .toLowerCase(Locale.US);
+
             String servicePrincipal = config.getServiceName() + "/" + hostname;
             loginContext = new LoginContext("", null, null, new Configuration()
             {
@@ -99,7 +102,7 @@ public AppConfigurationEntry[] getAppConfigurationEntry(String name)
                     },
                     ACCEPT_ONLY));
         }
-        catch (LoginException | UnknownHostException e) {
+        catch (LoginException e) {
             throw new RuntimeException(e);
         }
     }
@@ -194,4 +197,14 @@ private static <T> T doAs(Subject subject, GssSupplier<T> action)
             }
         });
     }
+
+    private static InetAddress getLocalHost()
+    {
+        try {
+            return InetAddress.getLocalHost();
+        }
+        catch (UnknownHostException e) {
+            throw new RuntimeException(e);
+        }
+    }
 }

presto-main/src/main/java/io/prestosql/server/security/KerberosConfig.java

@@ -26,6 +26,7 @@ public class KerberosConfig
     private File kerberosConfig;
     private String serviceName;
     private File keytab;
+    private String principalHostname;
 
     @NotNull
     public File getKerberosConfig()
@@ -64,4 +65,16 @@ public KerberosConfig setKeytab(File keytab)
         this.keytab = keytab;
         return this;
     }
+
+    public String getPrincipalHostname()
+    {
+        return principalHostname;
+    }
+
+    @Config("http.authentication.krb5.principal-hostname")
+    public KerberosConfig setPrincipalHostname(String principalHostname)
+    {
+        this.principalHostname = principalHostname;
+        return this;
+    }
 }

presto-main/src/test/java/io/prestosql/server/security/TestKerberosConfig.java

@@ -28,7 +28,8 @@ public void testDefaults()
         ConfigAssertions.assertRecordedDefaults(ConfigAssertions.recordDefaults(KerberosConfig.class)
                 .setKerberosConfig(null)
                 .setServiceName(null)
-                .setKeytab(null));
+                .setKeytab(null)
+                .setPrincipalHostname(null));
     }
 
     @Test
@@ -38,12 +39,14 @@ public void testExplicitPropertyMappings()
                 .put("http.authentication.krb5.config", "/etc/krb5.conf")
                 .put("http.server.authentication.krb5.service-name", "airlift")
                 .put("http.server.authentication.krb5.keytab", "/tmp/presto.keytab")
+                .put("http.authentication.krb5.principal-hostname", "presto.prestosql.io")
                 .build();
 
         KerberosConfig expected = new KerberosConfig()
                 .setKerberosConfig(new File("/etc/krb5.conf"))
                 .setServiceName("airlift")
-                .setKeytab(new File("/tmp/presto.keytab"));
+                .setKeytab(new File("/tmp/presto.keytab"))
+                .setPrincipalHostname("presto.prestosql.io");
 
         ConfigAssertions.assertFullMapping(properties, expected);
     }