Connecting to an SSL-enabled Presto Server without using Qubole

For connecting to an SSL-enabled Presto server without using Qubole, perform these steps:

Warning

There would be no query history saved and Qubole Support might not always address issues that you may face when you connect to a Presto server externally.

  1. Allow inbound traffic on port 8443 of the cluster master from the node where you want to run the client on.

  2. Create a file called ca.cer containing the below public CA certificate.

    -----BEGIN CERTIFICATE-----
    MIID+jCCAuKgAwIBAgIJAOKPZF/HWPl6MA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
    BAYTAlhYMQswCQYDVQQIEwJLQTELMAkGA1UEBxMCQkExDzANBgNVBAoTBlF1Ym9s
    ZTEMMAoGA1UECxMDT3BzMRMwEQYDVQQDEwpxdWJvbGUuY29tMB4XDTE5MDEwODA0
    NDUwMVoXDTIyMDEwNzA0NDUwMVowWzELMAkGA1UEBhMCWFgxCzAJBgNVBAgTAktB
    MQswCQYDVQQHEwJCQTEPMA0GA1UEChMGUXVib2xlMQwwCgYDVQQLEwNPcHMxEzAR
    BgNVBAMTCnF1Ym9sZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
    AQCs0NN5upYPkiPN2zXBoSbJnSi8oPSqdAHUsIauQrkhhS/P1bA3qLncjj+XzjPW
    N+IZkCRWm6j4V/ZjHngnnilsCsPh0SnvKqybmZ+Fs2O6CJFoP9bsillNZ4sdFcvO
    Do2foGyyuJYFrE3WWvepQE0Qx+mmLfJNaPt+cvgtQ2v/dd/lE5dbXddwn3ZsJTBp
    FUHD8voooHdQwFkEhb6eLHg2tk3XQpncBfwM9GN+v+6kIeDk5UefDbboDPx6s3fq
    BKoPWx86cGYVeDPqZScN/evKGwa5IjJ2uoh3JNtc1kNDvUdm05eyX2Gpsa5IPGnq
    JcaLPI0KNeVfncyB9qLwpcftAgMBAAGjgcAwgb0wHQYDVR0OBBYEFEmKFMyoPUcX
    U5grd1eBgfatvo3XMIGNBgNVHSMEgYUwgYKAFEmKFMyoPUcXU5grd1eBgfatvo3X
    oV+kXTBbMQswCQYDVQQGEwJYWDELMAkGA1UECBMCS0ExCzAJBgNVBAcTAkJBMQ8w
    DQYDVQQKEwZRdWJvbGUxDDAKBgNVBAsTA09wczETMBEGA1UEAxMKcXVib2xlLmNv
    bYIJAOKPZF/HWPl6MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFP4
    f4qQlDXJbx9FYHR64aalV4AM3TE5/ZOtrqblAA8SB3GZYz98GDG/UVq+irrOhpS+
    G7qM8Ucv+TNyLOn08t9dNYmn+CK55QN2BPPLuG2bp9U5EQsigvFt4mboCtn3/BHV
    QMfABm3Ci/vnWPp4wih/HgbMMon0VjkZ8Tywh0I9j8Gdp7kXNp/88YGgc3zY+geH
    ho8Mi9Yq8hA1Z3bdRmYCLiJc/Evn+dAFvpGM74tIDMBy09Hfaa+JCSpaQrKmcr1Z
    ovRo0HBfvz0OFeOdYl76J8Dv6iqk1YbefNvht53vWQIPCR/FbYiwkDxsr4CHnrst
    VN7hs3xEfhHV7JcFf+8=
    -----END CERTIFICATE-----
    
  3. Add ca.cer to the Java keystore by using the below command.

keytool -noprompt -import -alias QuboleCA -file ca.cer -keystore ${JAVA_HOME}/jre/lib/security/cacerts -storepass changeit
  1. Use the following sample command to run queries (ensure to use https://).

    Note

    The CLI works with Java version 8 or later.

    <Path/location of presto-cli-executable-*.jar> --server https://<HOST>:8443 --catalog hive --schema default
    

Connecting through Presto REST API Endpoints

Presto on Qubole authenticates Presto REST API endpoints when SSL is enabled. The inter-node communication between the coordinator and worker nodes is authenticated only when SSL is enabled in Presto version 0.208. But in Presto version 317, the communication between the coordinator and worker nodes is authenticated even when SSL is disabled. So, to submit a REST API call to the Presto coordinator, authenticate it using this syntax:

curl --cacert <CA Certificate path> --user <username>:<password> https://<coordinator_address>:8443/<path>

Where:

  • <CA Certificate path> is the CA certificate path.
  • <username>:<password> are the login credentials of the authentication type that you use.
  • <coordinator_address> is the IP address of the Presto coordinator node.
  • <path> is the Presto REST API endpoint. For example, v1/node.

For example, suppose you have enabled the LDAP authentication with qubole as the username and abc-password as the password, then the sample REST API call to the v1/node endpoint is:

curl --cacert <CA Certificate path> --user qubole:abc-password https://<coordinator_address>:8443/v1/node