LDAP and Okta
A Presto target connector can be configured to use LDAP or Okta authentication.
Currently, QueryGrid supports simple LDAP or Okta authentication using a username and password. The Presto target connector sends a username and password to the Presto coordinator and validates these credentials using an external LDAP or Okta service. Both Active Directory and Open LDAP are supported. Presto requires Secure LDAP (LDAPS), so make sure you have TLS enabled on your LDAP server. HTTPS must be configured for LDAP, Okta, or Kerberos.
Setting | Description |
---|---|
Port | Set to the HTTPS server port, or to the value of the http-server.https.port value in the presto config.properties file. |
Authentication Mechanism | Set to LDAP or Okta. |
Username | Set to the LDAP or Okta user name. |
Password | Set to the LDAP or Okta user password. |
SSL Trust or Key Store Path | Set to the Java trust store or Key Store absolute path. |
SSL Trust or Key Store Password | Set to the password for the Java trust store or Key Store file you entered into the SSL Trust or Key Store Path property. |
For more information, see Presto Connector and Link Properties.
Kerberos
Setting | Description |
---|---|
Kerberos Keytab | Keytab authentication must be used when using Kerberos with Presto. |
Kerberos Authentication Setup
When using Kerberos authentication, a principal can be authenticated using a username and a Keytab file. Presto Kerberos setup instructions can be found at https://docs.starburst.io/latest/security/kerberos.html . The driver node on the remote server establishes Kerberos authentication; the Presto connector is configured with the location of the needed file.
Setting | Description |
---|---|
Port | Set to the HTTPS server port, or to the value of the http-server.https.port value in the presto config.properties file. |
Authentication Mechanism | Set to Kerberos. |
Username | Set to the Kerberos principal name. |
Realm | Set to the Kerberos realm if the Kerberos principal in the username property does not already contain the realm. |
Kerberos Service Name | Must match the http-server.authentication.krb5.service-name set in the Presto coordinator config.properties file. |
Keytab | Set to absolute path of Keytab file. |
SSL Trust or Key Store Path | Set to the Java trust store or Key Store absolute path. |
SSL Trust or Key Store Password | Set to the password for the Java trust store or Key Store file you entered into the SSL Trust or Key Store Path property. |
Do not use or set Authorization Objects or the Password connector property when using Kerberos with Presto. HTTPS must be configured for Kerberos or LDAP enabled Presto clusters. For more information, see https://docs.starburstdata.com/latest/security/tls.html.
Kerberos Maintenance
You must update the configuration of QueryGrid if the name or location of the default Kerberos realm or the location of the host for your KDC (Key Distribution Center) or administration server changes.
Ranger
QueryGrid is compatible with Ranger on any Presto distribution where Ranger is supported by the vendor.