Using a Kerberos Credentials Cache

By default, when you use Kerberos authentication, the connector loads the credentials from the Kerberos credential cache.

  • On Windows, if the Windows machine has been joined to the appropriate Active Directory domain and the domain user has been granted access to the Trino service, then when you log in to the Windows machine it automatically caches your Kerberos credentials.
  • Otherwise, a Kerberos ticket must be generated before you run the connector. To generate a Kerberos ticket, run the kinit Kerberos command with the appropriate principal.

For instructions on configuring Kerberos authentication by specifying your Kerberos credentials, see Using a JAAS Login Configuration File or Using Kerberos Credentials in a Connection URL.

To configure Kerberos authentication using a Kerberos Credentials Cache:

  1. Run the kinit command using the following syntax, where [Keytab] is the Kerberos credential and [Principal] is the Kerberos user principal to use for authentication:

    2. kinit -kt [Keytab][Principal]

  2. Connect to the Trino server using a connection URL written in the following format:

    3. jdbc:trino://[Host]:[Port];AuthenticationType=Kerberos Authentication;SSLTrustStorePath=[TrustStoreFilePath];SSLTrustStorePwd=[TrustStorePassword]

    The variables are defined as follows:

    • [Host] is the DNS or IP address of the server.
    • [Port] is the number of the TCP port to connect to.
    • [TrustStoreFilePath] is the full path and file name of the Java TrustStore containing the SSL certificates to use during authentication.
    • [TrustStorePassword] is the password for accessing the defined Java Truststore.

    For example:

    jdbc:trino://trino-demo-cdh:7778;AuthenticationType=Kerberos Authentication; SSLTrustStorePath=C:\\Program Files\\Java\\jre1.8.0_92\\lib\\security\\cacerts;SSLTrustStorePwd=changeit

For more information about connection URL syntax, see Building the Connection URL.