Security Guidelines | Presto Target Connector | QueryGrid - Presto Target Connector Security Guidelines - Teradata QueryGrid

QueryGridâ„¢ Installation and User Guide - 3.06

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
Lake
VMware
Product
Teradata QueryGrid
Release Number
3.06
Published
December 2024
ft:locale
en-US
ft:lastEdition
2024-12-07
dita:mapPath
ndp1726122159943.ditamap
dita:ditavalPath
ft:empty
dita:id
lxg1591800469257
Product Category
Analytical Ecosystem

LDAP and Okta

A Presto target connector can be configured to use LDAP or Okta authentication.

Currently, QueryGrid supports simple LDAP or Okta authentication using a username and password. The Presto target connector sends a username and password to the Presto coordinator and validates these credentials using an external LDAP or Okta service. Both Active Directory and Open LDAP are supported. Presto requires Secure LDAP (LDAPS), so make sure you have TLS enabled on your LDAP server. HTTPS must be configured for LDAP, Okta, or Kerberos.

The following property settings are required for Presto target connectors using the LDAP or Okta security model.
Setting Description
Port Set to the HTTPS server port, or to the value of the http-server.https.port value in the presto config.properties file.
Authentication Mechanism Set to LDAP or Okta.
Username Set to the LDAP or Okta user name.
Password Set to the LDAP or Okta user password.
SSL Trust or Key Store Path Set to the Java trust store or Key Store absolute path.
SSL Trust or Key Store Password Set to the password for the Java trust store or Key Store file you entered into the SSL Trust or Key Store Path property.

For more information, see Presto Connector and Link Properties.

Kerberos

You can set up QueryGrid to use Kerberos authentication with the Presto target connector.
Setting Description
Kerberos Keytab Keytab authentication must be used when using Kerberos with Presto.

Kerberos Authentication Setup

When using Kerberos authentication, a principal can be authenticated using a username and a Keytab file. Presto Kerberos setup instructions can be found at https://docs.starburst.io/latest/security/kerberos.html . The driver node on the remote server establishes Kerberos authentication; the Presto connector is configured with the location of the needed file.

The following property settings are required for Presto target connectors using the Kerberos security model.
Setting Description
Port Set to the HTTPS server port, or to the value of the http-server.https.port value in the presto config.properties file.
Authentication Mechanism Set to Kerberos.
Username Set to the Kerberos principal name.
Realm Set to the Kerberos realm if the Kerberos principal in the username property does not already contain the realm.
Kerberos Service Name Must match the http-server.authentication.krb5.service-name set in the Presto coordinator config.properties file.
Keytab Set to absolute path of Keytab file.
SSL Trust or Key Store Path Set to the Java trust store or Key Store absolute path.
SSL Trust or Key Store Password Set to the password for the Java trust store or Key Store file you entered into the SSL Trust or Key Store Path property.

Do not use or set Authorization Objects or the Password connector property when using Kerberos with Presto. HTTPS must be configured for Kerberos or LDAP enabled Presto clusters. For more information, see https://docs.starburstdata.com/latest/security/tls.html.

Kerberos Maintenance

You must update the configuration of QueryGrid if the name or location of the default Kerberos realm or the location of the host for your KDC (Key Distribution Center) or administration server changes.

Ranger

QueryGrid is compatible with Ranger on any Presto distribution where Ranger is supported by the vendor.