After the initial installation of your cluster, security is a next major concern for successfully operating Presto. This overview provides an introduction to different aspects of configuring security for your Presto cluster.
Aspects of configuring security#
The default installation of Presto has no security features enabled. Security can be enabled for different parts of the Presto architecture:
Suggested configuration workflow#
To configure security for a new Presto cluster, follow this best practice order of steps. Do not skip or combine steps.
Enable HTTPS and TLS
Work with your security team.
Use a load balancer or proxy to terminate HTTPS, if possible.
Use a globally trusted TLS certificate.
Start with a password file to get up and running.
Then configure your preferred authentication provider, such as LDAP.
Avoid the complexity of Kerberos for client authentication, if possible.
Enable authorization and access control
Start with file-based rules.
Then configure another access control method as required.
Configure one step at a time. Always restart the Presto cluster after each change and verify the results before proceeding.
Securing client access to the cluster#
Presto clients include the Presto CLI, the Web UI, the JDBC driver, and community-provided clients, such as Python or Go clients, and any applications using these tools.
Starburst Enterprise Presto (SEP) includes support for the additional clients shown in Clients.
All access to the Presto cluster is managed by the coordinator. Thus, securing access to the cluster means securing access to the coordinator.
There are three aspects to consider:
Encyryption: protecting the integrity of client to server communication in transit.
Authentication: identifying users.
Authorization and access control: validating each user’s access rights.
The Presto server uses standard the HTTPS protocol and TLS encryption, formerly known as SSL.
Presto supports several authentication providers. When setting up a new cluster, start with simple password file authentication before configuring another provider.
SEP also supports Okta authentication.
User name management#
Presto provides ways to map the user and group names from authentication providers to Presto user names.
User mapping applies to all authentication systems, and allows for JSON files to specify rules to map complex user names from some systems (
email@example.com) to simple user names (
File-based group provider provides a way to assign a set of user names to a group name to ease access control.
SEP also supports:
LDAP group provider provides a way to map user names to groups using LDAP configuration.
Authorization and access control#
Presto’s default method of access control allows all operations for all authenticated users.
To implement access control, use:
File-based system access control, where you configure JSON files that specify fine-grained user access restrictions at the catalog, schema, or table level.
In addition, Presto provides an API that allows you to create a custom access control method, or to extend an existing one.
SEP includes a number of additional authorization methods that provide a greater level of access control. The SEP connectors overview includes information on which connectors support each feature.
User impersonation, where you can configure a single service user account with actual access to data sources, yet still have authenticated user accounts access the same data sources with their own credentials.
Password credential passthrough, where the user credentials and access rights specified by an authentication provider such as LDAP are passed transparently to data sources.
Kerberos credential passthrough, where Kerberos-defined user credentials are passed through to data sources.
Securing inside the cluster#
You can secure the internal communication between coordinator and workers inside the clusters.
Secrets in properties files, such as passwords in catalog files, can be secured with the secrets management.
Securing cluster access to data sources#
Communication between the Presto cluster and data sources is configured for each catalog. Each catalog uses a connector, which supports a variety of security-related configurations. More information is available with the documentation for individual connectors.
Secrets management can be used for the catalog properties files content.
The list of connector features on the connectors overview provides more details.
SEP provides two security auditing features: