search

trinodb / trino

Official repository of Trino, the distributed SQL query engine for big data, formerly known as PrestoSQL (https://trino.io)
https://trino.io
Apache License 2.0
10.46k stars 3.01k forks source link

Allow Presto LDAP credentials to pass through via catalog property (not extraCredentials) #4006

Open tooptoop4 opened 4 years ago

tooptoop4 commented 4 years ago

Allow catalog properties (ie mysql) to refer to each user's presto LDAP credentials WITHOUT the user having to pass extraCredentials parameter in their JDBC connection string

eg Catalog properties (ie server side)

connection-user=<LDAP>
connection-password=<LDAP>

When set to <LDAP> then each user's credentials from their Presto client connection pass through to the catalog JDBC source (ie mysql, oracle, postgres..etc)

Why? 2 problems with extraCredentials being client-side:

  1. Numerous client-side tools (and users) have to make an update to put the property in their connection. ie Superset, Alteryx, PowerBI, Jupyter PyHive, DBeaver, Tableau, various Java apps.etc.
  2. Logging is more problematic as sensitive credentials appear in JDBC connection strings (UID/PWD is not something often masked) in some client tools
tooptoop4 commented 4 years ago

a challenge with this ldap passthrough approach is when using impersonation (ie via superset) the principal is the superuser and the user is the enduser but the enduser's password is not supplied in the connection (just the superuser's username/passw is) so the JDBC catalog will not have access to the end users password. But then again I don't think a shared data source in superset with impersonation could get extraCredentials from each user anyway

tooptoop4 commented 4 years ago

wonder if this helps

    credentialProvider.getConnectionUser(Optional.empty())
            .ifPresent(user -> {
                try {
                    dataSource.setUser(user);
                }
                catch (SQLException e) {
                    throw new RuntimeException(e);
                }
            });
    credentialProvider.getConnectionPassword(Optional.empty())
            .ifPresent(password -> {
                try {
                    dataSource.setPassword(password);
                }
                catch (SQLException e) {
                    throw new RuntimeException(e);
                }
            });
matt12eagles commented 3 years ago

hello @tooptoop4 any idea where I can add this?? I have Trino realizing 'who' is executing the queries... but I want to pass in that user/pass of the person to the connection. Trying to find the file to add this to.

Thanks!

tooptoop4 commented 3 years ago

@matt12eagles ignore comment above. https://github.com/trinodb/trino/issues/8493#issuecomment-878244305 has the fix