Configuring Kerberos Authentication

You can configure the connector to use the Kerberos protocol to authenticate the connection. You can set the connection properties in a connection string or in a DSN (in the odbc.ini file). Settings in the connection string take precedence over settings in the DSN.

Kerberos must be installed and configured before you can use this authentication mechanism. For information about how to install and configure Kerberos, see the MIT Kerberos Documentation: http://web.mit.edu/kerberos/krb5-latest/doc/.

When you configure your Kerberos server, in the /etc/presto/config.properties file, set the following properties:

  • http.server.authentication.krb5.service-name=HTTP
  • http.server.authentication.krb5.keytab=HTTP.keytab

When you use Kerberos authentication, the connector loads the credentials from the Kerberos credential cache. Therefore, a Kerberos ticket must be generated before you run the connector. To generate a Kerberos ticket, run the kinit Kerberos command with the appropriate principal.

Additionally, when using Kerberos authentication:

  • The connector sends the Kerberos default user principal name as the user name.
  • When the Kerberos ticket is generated, the default user principal name is retrieved from the Kerberos credential cache.
  • Or, if you would like to manually send a user name, pass it via the UID connection parameter in the connection string.

    Note: If Kerberos authentication is enabled, then SSL is automatically enabled.

To configure the connector to use Kerberos authentication:

  1. Run the kinit command, using the following syntax, where [Principal] is the Kerberos user principal to use for authentication:

    kinit -k [Principal]

  2. In your odbc.ini configuration file or connection string, set the AuthenticationType property to Kerberos Authentication.
  3. Optionally, to generate a ticket using a Kerberos user name and password:
    1. Set the UseExistingKrbCreds property to 1 use the existing Kerberos Credentials, or to 0 to generate new credentials.
    2. Set the KinitType property to Kinit with Password.
    3. Optionally, to forward the generated Kerberos credentials, set the DelegateKrbCreds property to 1.
    4. Set the KerberosUsername property to your Kerberos user name.
    5. Set the KerberosPassword property to your Kerberos password.
  4. Optionally, to generate a ticket using a Kerberos user name and a keytab file:
    1. Set the UseExistingKrbCreds property to 1 use the existing Kerberos Credentials, or to 0 to generate new credentials.
    2. Set the KinitType property to Kinit with Keytab.
    3. Optionally, to forward the generated Kerberos credentials, set the DelegateKrbCreds property to 1.
    4. Set the KerberosUsername property to your Kerberos user name.
    5. Set the KerberosKeytab property to the full path of the keytab file.
  5. Optionally, to use a service name other than the default of HTTP, set the KrbServiceName property to the service name of the Presto server.
  6. Configure the SSL settings as described in Configuring SSL Verification.

You can now use the connector to authenticate through Kerberos and connect to your Presto server.