2.10 - Presto Target Connector Security Guidelines - Teradata QueryGrid

Teradata® QueryGrid™ Installation and User Guide

prodname
Teradata QueryGrid
vrm_release
2.10
created_date
September 2019
category
Administration
Configuration
Installation
User Guide
featnum
B035-5991-099K

LDAP

A Presto target connector can be configured to use LDAP authentication.

For more information about setting up the Presto LDAP configuration, see Teradata Presto Documentation available from https://www.info.teradata.com: Teradata for Hadoop > Teradata Distribution of Presto > Teradata Distribution of Presto.

Currently, QueryGrid only supports simple LDAP authentication mechanism involving username and password. The Presto target connector sends a username and password to the internal coordinator code, and it validates these credentials using an external LDAP service. Both Active Directory and Open LDAP are supported. Presto requires Secure LDAP (LDAPS), so make sure you have TLS enabled on your LDAP server. Presto documentation on how to configure Presto to enable LDAP authentication over HTTPs can be found at https://teradata.github.io/presto/docs/current/security/ldap.html.

The following property settings are required for Presto target connectors using the LDAP security model.
Setting Description
Port Set to the HTTPS server port, or to the value of the http-server.https.port value in the presto config.properties file.
Authentication Mechanism Set to LDAP.
Username Set to the LDAP user name.
Password Set to the LDAP user password.
SSL Trust or Key Store Path Set to the Java trust store or Key Store absolute path.
SSL Trust or Key Store Password Set to the password for the Java trust store or Key Store file you entered into the SSL Trust or Key Store Path property.

For more information, see Presto Connector and Link Properties.

Kerberos

You can set up QueryGrid to use Kerberos authentication with the Presto target connector; it uses two forms of authentication with Kerberos:

Username/Password
The Presto target connector authenticates the username and password against Kerberos before sending the query to the data source.
Kerberos Keytab
Presto can be configured to enable Kerberos Keytab authentication.