Trino can be configured to enable frontend LDAP authentication overHTTPS for clients, such as the Trino CLI, or the JDBC and ODBCdrivers. At present, only simple LDAP authentication mechanism involvingusername and password is supported. The Trino client sends a usernameand password to the coordinator, and the coordinator validates thesecredentials using an external LDAP service.
To enable LDAP authentication for Trino, configuration changes are made onthe Trino coordinator. No changes are required to the worker configuration;only the communication from the clients to the coordinator is authenticated.However, if you want to secure the communication betweenTrino nodes with SSL/TLS configure Secure internal communication.
Trino server configuration#
Trino coordinator node configuration#
Access to the Trino coordinator should be through HTTPS, configured as describedon HTTPS and TLS.
You also need to make changes to the Trino configuration files.LDAP authentication is configured on the coordinator in two parts.The first part is to enable HTTPS support and password authenticationin the coordinator’s config.properties
file. The second part isto configure LDAP as the password authenticator plugin.
Server config properties#
The following is an example of the required properties that need to be addedto the coordinator’s config.properties
file:
http-server.authentication.type=PASSWORDhttp-server.https.enabled=truehttp-server.https.port=8443http-server.https.keystore.path=/etc/trino/keystore.jkshttp-server.https.keystore.key=keystore_password
Property | Description |
---|---|
| Enable the password authentication typefor the Trino coordinator. Must be set to |
| Enables HTTPS access for the Trino coordinator.Should be set to |
| HTTPS server port. |
| The location of the PEM or Java keystore fileis used to enable TLS. |
| The password for the PEM or Java keystore. Thismust match the password you specified when creatingthe PEM or keystore. |
| Enable treating forwarded HTTPS requests over HTTPas secure. Requires the |
| Regex to match against user. If matched, user will bereplaced with first regex group. If not matched,authentication is denied. Default is |
| File containing rules for mapping user. SeeUser mapping for more information. |
Password authenticator configuration#
Password authentication needs to be configured to use LDAP. Create anetc/password-authenticator.properties
file on the coordinator. Example:
password-authenticator.name=ldapldap.url=ldaps://ldap-server:636ldap.ssl-trust-certificate=/path/to/ldap_server.crtldap.user-bind-pattern=<Refer below for usage>
Property | Description |
---|---|
| The URL to the LDAP server. The URL scheme must be |
| Allow using an LDAP connection that is not secured withTLS. |
| The path to the PEM encoded trust certificate for theLDAP server. This file should contain the LDAPserver’s certificate or its certificate authority. |
| This property can be used to specify the LDAP userbind string for password authentication. This propertymust contain the pattern The property can contain multiple patterns separatedby a colon. Each pattern will be checked in orderuntil a login succeeds or all logins fail. Example: |
| Ignore referrals to other LDAP servers whileperforming search queries. Defaults to |
| LDAP cache duration. Defaults to |
Based on the LDAP server implementation type, the propertyldap.user-bind-pattern
can be used as described below.
Active Directory#
ldap.user-bind-pattern=${USER}@<domain_name_of_the_server>
Example:
ldap.user-bind-pattern=${USER}@corp.example.com
OpenLDAP#
ldap.user-bind-pattern=uid=${USER},<distinguished_name_of_the_user>
Example:
ldap.user-bind-pattern=uid=${USER},OU=America,DC=corp,DC=example,DC=com
Authorization based on LDAP group membership#
You can further restrict the set of users allowed to connect to the Trinocoordinator, based on their group membership, by setting the optionalldap.group-auth-pattern
and ldap.user-base-dn
properties, in additionto the basic LDAP authentication properties.
Property | Description |
---|---|
| The base LDAP distinguished name for the userwho tries to connect to the server.Example: |
| This property is used to specify the LDAP query forthe LDAP group membership authorization. This queryis executed against the LDAP server and ifsuccessful, the user is authorized.This property must contain a pattern |
Based on the LDAP server implementation type, the propertyldap.group-auth-pattern
can be used as described below.
Authorization using Trino LDAP service user#
Trino server can use dedicated LDAP service user for doing user group membership queries.In such case Trino will first issue a group membership query for a Trino user that needsto be authenticated. A user distinguished name will be extracted from a group membershipquery result. Trino will then validate user password by creating LDAP context withuser distinguished name and user password. In order to use this mechanism ldap.bind-dn
,ldap.bind-password
and ldap.group-auth-pattern
properties need to be defined.
Property | Description |
---|---|
| Bind distinguished name used by Trino when issuinggroup membership queries.Example: |
| Bind password used by Trino when issuing groupmembership queries.Example: |
| This property is used to specify the LDAP query forthe LDAP group membership authorization. This querywill be executed against the LDAP server and ifsuccessful, a user distinguished name will beextracted from a query result. Trino will thenvalidate user password by creating LDAP context withuser distinguished name and user password. |
Active Directory#
ldap.group-auth-pattern=(&(objectClass=<objectclass_of_user>)(sAMAccountName=${USER})(memberof=<dn_of_the_authorized_group>))
Example:
ldap.group-auth-pattern=(&(objectClass=person)(sAMAccountName=${USER})(memberof=CN=AuthorizedGroup,OU=Asia,DC=corp,DC=example,DC=com))
OpenLDAP#
ldap.group-auth-pattern=(&(objectClass=<objectclass_of_user>)(uid=${USER})(memberof=<dn_of_the_authorized_group>))
Example:
ldap.group-auth-pattern=(&(objectClass=inetOrgPerson)(uid=${USER})(memberof=CN=AuthorizedGroup,OU=Asia,DC=corp,DC=example,DC=com))
For OpenLDAP, for this query to work, make sure you enable thememberOf
overlay.
You can use this property for scenarios where you want to authorize a userbased on complex group authorization search queries. For example, if you want toauthorize a user belonging to any one of multiple groups (in OpenLDAP), thisproperty may be set as follows:
ldap.group-auth-pattern=(&(|(memberOf=CN=normal_group,DC=corp,DC=com)(memberOf=CN=another_group,DC=com))(objectClass=inetOrgPerson)(uid=${USER}))
Trino CLI#
Environment configuration#
TLS configuration#
When using LDAP authentication, access to the Trino coordinator must be throughHTTPS/TLS.
Trino CLI execution#
In addition to the options that are required when connecting to a Trinocoordinator that does not require LDAP authentication, invoking the CLIwith LDAP support enabled requires a number of additional command lineoptions. You can either use --keystore-*
or --truststore-*
propertiesto secure TLS connection. The simplest way to invoke the CLI is with awrapper script.
#!/bin/bash./trino \--server https://trino-coordinator.example.com:8443 \--keystore-path /tmp/trino.jks \--keystore-password password \--truststore-path /tmp/trino_truststore.jks \--truststore-password password \--catalog <catalog> \--schema <schema> \--user <LDAP user> \--password
Option | Description |
---|---|
| The address and port of the Trino coordinator. The port mustbe set to the port the Trino coordinator is listening for HTTPSconnections on. Trino CLI does not support using |
| The location of the Java Keystore file that will be usedto secure TLS. |
| The password for the keystore. This must match thepassword you specified when creating the keystore. |
| The location of the Java truststore file that will be usedto secure TLS. |
| The password for the truststore. This must match thepassword you specified when creating the truststore. |
| The LDAP username. For Active Directory this should be your |
| Prompts for a password for the |
Troubleshooting#
Java keystore file verification#
Verify the password for a keystore file and view its contents usingInspect and validate keystore.
Debug Trino to LDAP server issues#
If you need to debug issues with Trino communicating with the LDAP server,you can change the log level for the LDAP authenticator:
io.trino.plugin.password=DEBUG
TLS debugging for Trino CLI#
If you encounter any TLS related errors when running the Trino CLI, you can runthe CLI using the -Djavax.net.debug=ssl
parameter for debugging. Use theTrino CLI executable JAR to enable this. For example:
java -Djavax.net.debug=ssl \-jar \trino-cli-<version>-executable.jar \--server https://coordinator:8443 \<other_cli_arguments>
Common TLS/SSL errors#
java.security.cert.CertificateException: No subject alternative names present#
This error is seen when the Trino coordinator’s certificate is invalid, and does not have the IP you providein the --server
argument of the CLI. You have to regenerate the coordinator’s TLS certificatewith the appropriate SAN added.
Adding a SAN to this certificate is required in cases where https://
uses IP address in the URL, ratherthan the domain contained in the coordinator’s certificate, and the certificate does not contain theSAN parameter with the matching IP address as an alternative attribute.
Authentication or TLS errors with JDK upgrade#
Starting with the JDK 8u181 release, to improve the robustness of LDAPS(secure LDAP over TLS) connections, endpoint identification algorithms wereenabled by default. See release notesfrom Oracle.The same LDAP server certificate on the Trino coordinator, running on JDKversion >= 8u181, that was previously able to successfully connect to anLDAPS server, may now fail with the following error:
javax.naming.CommunicationException: simple bind failed: ldapserver:636[Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ldapserver found.]
If you want to temporarily disable endpoint identification, you can add theproperty -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
to Trino’s jvm.config
file. However, in a production environment, wesuggest fixing the issue by regenerating the LDAP server certificate so thatthe certificate SAN or certificate subjectname matches the LDAP server.