LDAP User Authentication¶
In LDAP user authentication, the Lightweight Directory Access Protocol (LDAP) server authenticates users to directly communicate with an Engine Server.
Enabling LDAP Authentication in Presto¶
Enable LDAP in Presto by performing these steps:
Create a ticket with a ticket with Qubole Support to enable SSL in your cluster’s master node only if SSL is not enabled on that cluster.
Currently, SSL is only supported on Qubole-on-AWS.
You must add LDAP-related configuration in the cluster’s configuration through the Clusters UI or clusters API.
Do not add the LDAP-related configuration through the node bootstrap or the Presto server bootstrap as Qubole middleware appends additional configuration when the authentication is enabled in the cluster. In particular, the QDS middleware enables authentication scheme for queries submitted through QDS. If you do not add the LDAP-related configuration in the cluster, you can only submit queries through the direct connection but not through QDS.
Qubole supports open-source LDAP configuration properties for:
Override these LDAP configurations as Presto cluster override (the example below shows configuration properties for Presto 0.193 and earlier versions):
config.properties: http-server.authentication.type=PASSWORD password-authenticator.name=ldap ldap.url=ldaps://ldap-server:636
Do not add https-related configuration that is mentioned in the open-source documentation as Qubole adds it as part of enabling SSL (refer to step 1 above).
If you have enabled SSL on the complete cluster (on all nodes) instead of only enabling it on the master node (refer to step 1), then you must avoid setting the
http-server.https.portconfiguration property. Overriding
http-server.https.portis not supported in Presto on QDS.
If you have a need to communicate with Presto on a different port other than port 8443, Qubole recommends creating a forward tunnel from that port to port 8443 in the the master node through the node bootstrap.