Authenticating Direct Connections to Engines

QDS users can directly connect to query engines that is external of QDS.

Authenticating Direct Connections to Presto

Apart from existing authentication schemes, Presto supports a file-based authentication.

Important

The file-based authentication is only available in Presto 0.180 and later versions. Currently, it does not work when SSL is used for the inter-node communication within the cluster. For more information, see Points to Remember on the File-based Authentication.

You can enable the file-based authentication by adding this configuration as a Presto override in the cluster configuration.

config.properties:
http-server.authentication.type=FILE
authentication.filebased.config-file=etc/authentication

authentication:
admin:$apr1$EnUyEvmk$SWUlSWtcdTIsgLihPNW09.
user1:{SHA}bWdU2ejuS1lWa0mv11TR2YAoOzs=
user2:EY8ULaXsqebTI
user3:$2a$05$/.QHkz9ytxOWwvcE5zMt7O0fabySUNcdKMqVmJpqTOGIRdFfjlSey

Adding this override configures Presto to use etc/authentication as input for username:password pairs. The content of this file is defined in the authentication: section as mentioned above.

Note

Ensure that the content of the etc/authentication is in the valid JSON format or else, the Presto server fails to start.

These username:password pairs are used to authenticate users, who try to access Presto directly (that is from outside of QDS). The file-based authentication feature has been enhanced to accept only hashed passwords. Earlier, plain passwords were accepted and stored as-is on the cluster which posed a security threat. MD5, SHA1, Unix Crypt, and BCrypt hashed passwords are supported. Qubole recommends using MD5 and BCrypt as SHA1 and Unix Crypt are less secure. It accepts the input file as a collection of the username:password lines.

In direct connections, you must provide username and password correctly and use https://MASTER_HOST_NAME:8443 as the URL. You cannot change the port and it must be always 8443 for an SSL connection.

To authenticate direct connections to Presto Server where username is stored in the source name header, use these configurations:

  • http-server.authentication.post.source-has-username: <true/fasle>. When it is enabled, the source name is used as the username for authentication and only POST API calls (submitted queries) are authenticated.

  • http-server.authentication.source-has-username: <true/fasle>. When it is enabled, the source name is used as the username for authentication but all API calls to the Presto server are authenticated.

    Warning

    Enable http-server.authentication.source-has-username only if you have a custom Presto client as the standard Presto clients do not populate the source field in all requests except the POST request, which causes query failures.

If you are using open source, JDBC drivers must enable SSL apart from these configurations as described in the Presto JDBC topic.

Points to Remember on the File-based Authentication

Here are some conditions that hold good to the basic authentication for direct connections in Presto:

  • You must use the Qubole Presto Ruby client for uninterrupted access to clusters through QDS after enabling this feature. This feature does not support the old QDS Java client.
  • You must have an encrypted channel while submitting password and you must get SSL enabled in the master node by creating a ticket with Qubole Support.