search

trinodb / trino

Official repository of Trino, the distributed SQL query engine for big data, formerly known as PrestoSQL (https://trino.io)
https://trino.io
Apache License 2.0
10.24k stars 2.95k forks source link

How does the shared-secret secure internal communication interact with Kerberos authentication? #21173

Open orthoxerox opened 6 months ago

orthoxerox commented 6 months ago

https://trino.io/docs/current/security/kerberos.html says:

node.internal-address-source | Kerberos is typically sensitive to DNS names. Setting this property to use FQDN ensures correct operation and usage of valid DNS host names.

https://trino.io/docs/current/security/internal-communication.html

Older versions of Trino required you to manually manage all the certificates on the nodes. If you upgrade from this setup, you must remove the following configuration properties:

  • internal-communication.https.keystore.path
  • internal-communication.https.truststore.path
  • node.internal-address-source

Based on the errors I'm getting when trying to connect, it looks like I have to manage the certificates on all nodes manually and my config should look something like this:

discovery.uri=https://<coordinator FQDN>:<https port>
node.internal-address-source=FQDN
internal-communication.https.keystore.path=<path to the keystore with the certificate issued for the worker node>
internal-communication.https.truststore.path=<path to the truststore that can validate all node certificates>

If that's correct, shouldn't this caveat be mentioned in the docs?

Sreesruth commented 6 months ago

hi, @orthoxerox @ragnard @joshk @electrum @jvanzyl i would like to contribute on this , thankyou