Kerberos credential pass-through#
A number of connectors support credential pass-through. With this feature configured, any user is required to supply their credentials to Trino. These credentials are then used to connect to the underlying data source. As a result, any data access via Trino is subject to the data access restrictions and permissions of the user supplied.
Coordinator and worker configuration#
The credential pass-through relies on the usage of Kerberos for authentication. The user information in Kerberos is used for the data access permissions in the connected data sources.
Kerberos usage requires HTTPS, and therefore also requires secure internal communication with a shared secret and FQDN as internal address source.
To use credential pass-through, configure the Trino coordinator and workers in
internal-communication.shared-secret=yourSecret node.internal-address-source=FQDN http-server.authentication.type=DELEGATED-KERBEROS http-server.authentication.krb5.service-name=exampleServiceName http.authentication.krb5.config=/etc/krb5.conf
Optionally, you can configure more details for Kerberos usage with the following properties:
In addition, Kerberos needs to be configured to allow forwarding on the Trino
coordinator and worker as well as on the client workstation, e.g. in the
[libdefaults] forwardable = true
In order for Kerberos user names to be correctly mapped and translated through Trino to the catalogs, you need to configure the correct user mapping.
As a last step, the authentication type in the catalog properties file needs to
be set to
KERBEROS_PASS_THROUGH to enable credential pass-through. If the
certificate used for HTTPS is not signed by a known certificate authority,
supported by the JVM, the path to the trust store file has to be specified in
the catalog file using property
More information about this setting and the necessary Kerberos configuration can be found with the documentation for the connectors.