CLI Kerberos authentication#

The Trino Command line interface can connect to a Trino cluster that has Kerberos authentication enabled.

Environment configuration#

Kerberos services#

You will need a Kerberos KDC running on a node that the client can reach over the network. The KDC is responsible for authenticating principals and issuing session keys that can be used with Kerberos-enabled services. KDCs typically run on port 88, which is the IANA-assigned port for Kerberos.

MIT Kerberos configuration#

Kerberos needs to be configured on the client. At a minimum, there needs to be a kdc entry in the [realms] section of the /etc/krb5.conf file. You may also want to include an admin_server entry and ensure that the client can reach the Kerberos admin server on port 749.

[realms]
  TRINO.EXAMPLE.COM = {
    kdc = kdc.example.com
    admin_server = kdc.example.com
  }

[domain_realm]
  .trino.example.com = TRINO.EXAMPLE.COM
  trino.example.com = TRINO.EXAMPLE.COM

The complete documentation for krb5.conf is hosted by the MIT Kerberos Project. If you are using a different implementation of the Kerberos protocol, you will need to adapt the configuration to your environment.

Kerberos principals and keytab files#

Each user, who connects to the Trino coordinator, needs a Kerberos principal. You need to create these users in Kerberos using kadmin.

Additionally, each user needs a keytab file. The keytab file can be created using kadmin after you create the principal.

kadmin
> addprinc -randkey someuser@EXAMPLE.COM
> ktadd -k /home/someuser/someuser.keytab someuser@EXAMPLE.COM

Note

Running ktadd randomizes the principal’s keys. If you have just created the principal, this does not matter. If the principal already exists, and if existing users or services rely on being able to authenticate using a password or a keytab, use the -norandkey option to ktadd.

Configuration for TLS#

When using Kerberos authentication, access to the Trino coordinator must be through HTTPS. If you have not yet configured HTTPS/TLS for your coordinator, refer to HTTPS and TLS.

Trino CLI execution#

In addition to the options that are required when connecting to a Trino coordinator, that does not require Kerberos authentication, invoking the CLI with Kerberos support enabled requires a number of additional command line options. The simplest way to invoke the CLI is with a wrapper script.

#!/bin/bash

./trino \
  --server https://trino-coordinator.example.com:7778 \
  --krb5-config-path /etc/krb5.conf \
  --krb5-principal someuser@EXAMPLE.COM \
  --krb5-keytab-path /home/someuser/someuser.keytab \
  --krb5-remote-service-name trino \
  --keystore-path /tmp/trino.jks \
  --keystore-password password \
  --catalog <catalog> \
  --schema <schema>

Option	Description
`--server`	The address and port of the Trino coordinator. The port must be set to the port the Trino coordinator is listening for HTTPS connections on.
`--krb5-config-path`	Kerberos configuration file.
`--krb5-principal`	The principal to use when authenticating to the coordinator.
`--krb5-keytab-path`	The location of the keytab that can be used to authenticate the principal specified by `--krb5-principal`
`--krb5-remote-service-name`	Trino coordinator Kerberos service name.
`--keystore-path`	The location of the Java Keystore file that is used to secure TLS.
`--keystore-password`	The password for the keystore. This must match the password you specified when creating the keystore.

Troubleshooting#

Many of the same steps, that can be used when troubleshooting the Trino coordinator, apply to troubleshooting the CLI.

Additional Kerberos debugging information#

You can enable additional Kerberos debugging information for the Trino CLI process by passing -Dsun.security.krb5.debug=true as a JVM argument, when starting the CLI process. Doing so requires invoking the CLI JAR via java instead of running the self-executable JAR directly. The self-executable jar file cannot pass the option to the JVM.

#!/bin/bash

java \
  -Dsun.security.krb5.debug=true \
  -jar trino-cli-*-executable.jar \
  --server https://trino-coordinator.example.com:7778 \
  --krb5-config-path /etc/krb5.conf \
  --krb5-principal someuser@EXAMPLE.COM \
  --krb5-keytab-path /home/someuser/someuser.keytab \
  --krb5-remote-service-name trino \
  --keystore-path /tmp/trino.jks \
  --keystore-password password \
  --catalog <catalog> \
  --schema <schema>

The additional resources listed in the documentation for setting up Kerberos authentication for the Trino coordinator may be of help when interpreting the Kerberos debugging messages.