Connecting to an SSL-enabled Presto Server without using Qubole

For connecting to an SSL-enabled Presto server without using Qubole, perform these steps:

Warning

There would be no query history saved and Qubole Support might not always address issues that you may face when you connect to a Presto server externally.

1. Allow inbound traffic on port 8443 of the cluster master from the node where you want to run the client on.

2. Create a file called ca.cer containing the below public CA certificate.

   -----BEGIN CERTIFICATE-----
   MIID+jCCAuKgAwIBAgIJAOKPZF/HWPl6MA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
   BAYTAlhYMQswCQYDVQQIEwJLQTELMAkGA1UEBxMCQkExDzANBgNVBAoTBlF1Ym9s
   ZTEMMAoGA1UECxMDT3BzMRMwEQYDVQQDEwpxdWJvbGUuY29tMB4XDTE5MDEwODA0
   NDUwMVoXDTIyMDEwNzA0NDUwMVowWzELMAkGA1UEBhMCWFgxCzAJBgNVBAgTAktB
   MQswCQYDVQQHEwJCQTEPMA0GA1UEChMGUXVib2xlMQwwCgYDVQQLEwNPcHMxEzAR
   BgNVBAMTCnF1Ym9sZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
   AQCs0NN5upYPkiPN2zXBoSbJnSi8oPSqdAHUsIauQrkhhS/P1bA3qLncjj+XzjPW
   N+IZkCRWm6j4V/ZjHngnnilsCsPh0SnvKqybmZ+Fs2O6CJFoP9bsillNZ4sdFcvO
   Do2foGyyuJYFrE3WWvepQE0Qx+mmLfJNaPt+cvgtQ2v/dd/lE5dbXddwn3ZsJTBp
   FUHD8voooHdQwFkEhb6eLHg2tk3XQpncBfwM9GN+v+6kIeDk5UefDbboDPx6s3fq
   BKoPWx86cGYVeDPqZScN/evKGwa5IjJ2uoh3JNtc1kNDvUdm05eyX2Gpsa5IPGnq
   JcaLPI0KNeVfncyB9qLwpcftAgMBAAGjgcAwgb0wHQYDVR0OBBYEFEmKFMyoPUcX
   U5grd1eBgfatvo3XMIGNBgNVHSMEgYUwgYKAFEmKFMyoPUcXU5grd1eBgfatvo3X
   oV+kXTBbMQswCQYDVQQGEwJYWDELMAkGA1UECBMCS0ExCzAJBgNVBAcTAkJBMQ8w
   DQYDVQQKEwZRdWJvbGUxDDAKBgNVBAsTA09wczETMBEGA1UEAxMKcXVib2xlLmNv
   bYIJAOKPZF/HWPl6MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFP4
   f4qQlDXJbx9FYHR64aalV4AM3TE5/ZOtrqblAA8SB3GZYz98GDG/UVq+irrOhpS+
   G7qM8Ucv+TNyLOn08t9dNYmn+CK55QN2BPPLuG2bp9U5EQsigvFt4mboCtn3/BHV
   QMfABm3Ci/vnWPp4wih/HgbMMon0VjkZ8Tywh0I9j8Gdp7kXNp/88YGgc3zY+geH
   ho8Mi9Yq8hA1Z3bdRmYCLiJc/Evn+dAFvpGM74tIDMBy09Hfaa+JCSpaQrKmcr1Z
   ovRo0HBfvz0OFeOdYl76J8Dv6iqk1YbefNvht53vWQIPCR/FbYiwkDxsr4CHnrst
   VN7hs3xEfhHV7JcFf+8=
   -----END CERTIFICATE-----
   

3. Add ca.cer to the Java keystore by using the below command.

keytool -noprompt -import -alias QuboleCA -file ca.cer -keystore ${JAVA_HOME}/jre/lib/security/cacerts -storepass changeit

4. Use the following sample command to run queries (ensure to use https://).

   Note

   The CLI works with Java version 8 or later.

   <Path/location of presto-cli-executable-*.jar> --server https://<HOST>:8443 --catalog hive --schema default
   

Connecting through Presto REST API Endpoints

Presto on Qubole authenticates Presto REST API endpoints when SSL is enabled. The inter-node communication between the coordinator and worker nodes is authenticated only when SSL is enabled in Presto version 0.208. But in Presto version 317, the communication between the coordinator and worker nodes is authenticated even when SSL is disabled. So, to submit a REST API call to the Presto coordinator, authenticate it using this syntax:

curl --cacert <CA Certificate path> --user <username>:<password> https://<coordinator_address>:8443/<path>

Where:

• <CA Certificate path> is the CA certificate path.

• <username>:<password> are the login credentials of the authentication type that you use.

• <coordinator_address> is the IP address of the Presto coordinator node.

• <path> is the Presto REST API endpoint. For example, v1/node.

For example, suppose you have enabled the LDAP authentication with qubole as the username and abc-password as the password, then the sample REST API call to the v1/node endpoint is:

curl --cacert <CA Certificate path> --user qubole:abc-password https://<coordinator_address>:8443/v1/node