search

jefflester / minitrino

A tool that makes it easy to run modular Trino environments locally.
Apache License 2.0
32 stars 3 forks source link

Fix LDAP Module and Update LDAP Module Readme #18

Closed joechu1 closed 4 years ago

joechu1 commented 4 years ago

Ran into some issues when starting up Minipresto with the ldap security module:

[i]  + sudo keytool -import -keystore /etc/pki/java/cacerts -trustcacerts -alias /usr/lib/presto/etc/certs/ldapserver.crt -noprompt -storepass prestoRocks15 -file
     /usr/lib/presto/etc/certs/ldapserver.crt
[i]  Warning: use -cacerts option to access cacerts keystore
[i]  keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

/etc/pki/java/cacerts is still using default password changeit, but keytool is trying to add the certificate using the password prestoRocks15

[i]  + echo 'LDAP Importing user from file [/usr/lib/presto/etc/ldap-users/alice.ldif]'
     + ldapmodify -x -D cn=admin,dc=example,dc=com -w ldap -H
     ldaps://172.30.0.2:636 -f /usr/lib/presto/etc/ldap-users/alice.ldif
[i]  ldap_bind: Invalid credentials (49)
[e]  Failed to execute command in container 'presto':
     /tmp/bootstrap-presto.sh

Attempts to use original password ldap, but password was already changed to prestoRocks15 with the environment variable property LDAP_ADMIN_PASSWORD in the ldap.yml file.

Error running command: javax.net.ssl.SSLPeerUnverifiedException: Hostname presto.minipresto.starburstdata.com not verified:
    certificate: sha256/zaFyYUEmTP33AHmKXHd9MMFc52yAC6NbvtLPvoW8T9U=
    DN: CN=*.starburstdata.com
    subjectAltNames: []

SSL certs only allows wildcards to the next-level sub-domain. Changing the CN to *.minipresto.starburstdata.com would work, but opted to add SANs instead to allow additional ways to connect to Presto.

Changes were made to fix the above issues, to make the client keystore and truststore more accessible, and to update the README.

jefflester commented 4 years ago

Fantastic work, @joechu1! I'll look this over and get it merged in. Thanks for your improvements here.

jefflester commented 4 years ago

@joechu1 I pushed to your repo's branch. I updated the SSL directory and the readme accordingly. I also symlinked to the Presto CLI JAR file instead of creating an alias to it in the Presto Dockerfile, so now you can invoke the CLI from outside of the container without needing to point to the artifact, i.e.

docker exec -it presto presto-cli --execute "select 1"

will now work.