Security
This page covers [Authentication] and [Authorization].
Authentication
Trino supports several authentication types.
Password
The Trino operator currently supports the following PASSWORD authenticators.
Password file
The file based authentication can be defined as follows. First create a secret with your users:
apiVersion: v1
kind: Secret
metadata:
name: simple-trino-users-secret
type: kubernetes.io/opaque
stringData:
admin: $2y$10$89xReovvDLacVzRGpjOyAOONnayOgDAyIS2nW9bs5DJT98q17Dy5i
alice: $2y$10$HcCa4k9v2DRrD/g7e5vEz.Bk.1xg00YTEHOZjPX7oK3KqMSt2xT8W
bob: $2y$10$xVRXtYZnYuQu66SmruijPO8WHFM/UK5QPHTr.Nzf4JMcZSqt3W.2.This contains username and password pairs as shown in the previous snippet. The username and password combinations are provided in the stringData field. The hashes are created using bcrypt with 10 rounds:
htpasswd -nbBC 10 admin adminThen reference the secret in your TrinoCluster definition:
apiVersion: trino.stackable.tech/v1alpha1
kind: TrinoCluster
metadata:
name: simple-trino
spec:
...
clusterConfig:
authentication:
method:
multiUser:
userCredentialsSecret:
name: simple-trino-users-secret
...LDAP
The Trino operator supports LDAP authentication as well and authentication in Stackable is done using AuthenticationClasses:
apiVersion: authentication.stackable.tech/v1alpha1
kind: AuthenticationClass
metadata:
name: my-ldap
...| You can follow the Authentication with OpenLDAP tutorial to learn how to create an AuthenticationClass for an LDAP server. |
With an AuthenticationClass ready, PASSWORD authentication using LDAP is done by referincing the LDAP AuthenticationClass:
apiVersion: trino.stackable.tech/v1alpha1
kind: TrinoCluster
metadata:
name: trino-with-ldap
spec:
...
clusterConfig:
authentication:
method:
ldap:
authenticationClass: my-ldap
...In the Trino CLI and web interface, LDAP users can now be used to log in.
Authorization
In order to authorize Trino via OPA, a ConfigMap containing Rego rules for Trino has to be applied. The following example is an all-access Rego rule for testing with the user admin. Do not use it in production!
---
apiVersion: v1
kind: ConfigMap
metadata:
name: opa-bundle-trino
labels:
opa.stackable.tech/bundle: "trino"
data:
trino.rego: |
package trino
import future.keywords.in
default allow = false
allow {
is_admin
}
is_admin() {
input.context.identity.user == "admin"
}Users should write their own rego rules for more complex OPA authorization.
Define a secure cluster
For secure connections the following steps must be taken:
-
Enable authentication
-
Enable TLS between the clients and coordinator
-
Enable internal TLS for communication between coordinators and workers
Via authentication
If authentication is enabled, TLS for the coordinator as well as a shared secret for internal communications (this is base64 and not encrypted) must be configured.
Securing the Trino cluster will disable all HTTP ports and disable the web interface on the HTTP port as well. In the definition below the authentication is directed to use the trino-users secret and TLS communication will use a certificate signed by the Secret Operator (indicated by autoTls).
---
apiVersion: trino.stackable.tech/v1alpha1
kind: TrinoCatalog
metadata:
name: hive
labels:
trino: simple-trino
spec:
connector:
hive:
metastore:
configMap: simple-hive-derby
---
apiVersion: trino.stackable.tech/v1alpha1
kind: TrinoCluster
metadata:
name: simple-trino
spec:
image:
productVersion: "396"
stackableVersion: "23.4.0-rc2"
clusterConfig:
tls:
serverSecretClass: trino-tls (1)
authentication:
method:
multiUser:
userCredentialsSecret:
name: trino-users (2)
catalogLabelSelector:
matchLabels:
trino: simple-trino (3)
coordinators:
roleGroups:
default:
replicas: 1
workers:
roleGroups:
default:
replicas: 1
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
name: trino-tls (1)
spec:
backend:
autoTls: (4)
ca:
secret:
name: secret-provisioner-trino-tls-ca
namespace: default
autoGenerate: true
---
apiVersion: v1
kind: Secret
metadata:
name: trino-users (2)
type: kubernetes.io/opaque
stringData:
# admin:admin
admin: $2y$10$89xReovvDLacVzRGpjOyAOONnayOgDAyIS2nW9bs5DJT98q17Dy5i
---
apiVersion: hive.stackable.tech/v1alpha1
kind: HiveCluster
metadata:
name: simple-hive-derby
spec:
image:
productVersion: 3.1.3
stackableVersion: "23.4.0-rc1"
clusterConfig:
database:
connString: jdbc:derby:;databaseName=/tmp/metastore_db;create=true
user: APP
password: mine
dbType: derby
metastore:
roleGroups:
default:
replicas: 1| 1 | The name of (and reference to) the SecretClass |
| 2 | The name of (and reference to) the Secret |
| 3 | TrinoCatalog reference |
| 4 | TLS mechanism |
The CLI now requires that a path to the keystore and a password be provided:
./trino.jar --debug --server https://172.18.0.3:31748
--user=admin --keystore-path=<path-to-keystore.p12> --keystore-password=<password>Via TLS only
This will disable the HTTP port and UI access and encrypt client-server communications.
---
apiVersion: trino.stackable.tech/v1alpha1
kind: TrinoCatalog
metadata:
name: hive
labels:
trino: simple-trino
spec:
connector:
hive:
metastore:
configMap: simple-hive-derby
---
apiVersion: trino.stackable.tech/v1alpha1
kind: TrinoCluster
metadata:
name: simple-trino
spec:
image:
productVersion: "396"
stackableVersion: "23.4.0-rc2"
clusterConfig:
tls:
serverSecretClass: trino-tls (1)
catalogLabelSelector:
matchLabels:
trino: simple-trino (2)
coordinators:
roleGroups:
default:
replicas: 1
workers:
roleGroups:
default:
replicas: 1
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
name: trino-tls (1)
spec:
backend:
autoTls: (3)
ca:
secret:
name: secret-provisioner-trino-tls-ca
namespace: default
autoGenerate: true
---
apiVersion: hive.stackable.tech/v1alpha1
kind: HiveCluster
metadata:
name: simple-hive-derby
spec:
image:
productVersion: 3.1.3
stackableVersion: "23.4.0-rc1"
clusterConfig:
database:
connString: jdbc:derby:;databaseName=/tmp/metastore_db;create=true
user: APP
password: mine
dbType: derby
metastore:
roleGroups:
default:
replicas: 1| 1 | The name of (and reference to) the SecretClass |
| 2 | TrinoCatalog reference |
| 3 | TLS mechanism |
CLI callout:
./trino.jar --debug --server https://172.18.0.3:31748 --keystore-path=<path-to-keystore.p12> --keystore-password=<password>Via internal TLS
Internal TLS is for encrypted and authenticated communications between coordinators and workers. Since this applies to all the data send and processed between the processes, this may reduce the performance significantly.
---
apiVersion: trino.stackable.tech/v1alpha1
kind: TrinoCatalog
metadata:
name: hive
labels:
trino: simple-trino
spec:
connector:
hive:
metastore:
configMap: simple-hive-derby
---
apiVersion: trino.stackable.tech/v1alpha1
kind: TrinoCluster
metadata:
name: simple-trino
spec:
image:
productVersion: "396"
stackableVersion: "23.4.0-rc2"
clusterConfig:
tls:
internalSecretClass: trino-internal-tls (1)
authentication:
method:
multiUser:
userCredentialsSecret:
name: trino-users (2)
catalogLabelSelector:
matchLabels:
trino: simple-trino
coordinators:
roleGroups:
default:
replicas: 1
workers:
roleGroups:
default:
replicas: 1
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
name: trino-internal-tls (1)
spec:
backend:
autoTls: (3)
ca:
secret:
name: secret-provisioner-trino-internal-tls-ca
namespace: default
autoGenerate: true
---
apiVersion: v1
kind: Secret
metadata:
name: trino-users (2)
type: kubernetes.io/opaque
stringData:
# admin:admin
admin: $2y$10$89xReovvDLacVzRGpjOyAOONnayOgDAyIS2nW9bs5DJT98q17Dy5i
---
apiVersion: hive.stackable.tech/v1alpha1
kind: HiveCluster
metadata:
name: simple-hive-derby
spec:
image:
productVersion: 3.1.3
stackableVersion: "23.4.0-rc1"
clusterConfig:
database:
connString: jdbc:derby:;databaseName=/tmp/metastore_db;create=true
user: APP
password: mine
dbType: derby
metastore:
roleGroups:
default:
replicas: 1| 1 | The name of (and reference to) the SecretClass |
| 2 | The name of (and reference to) the Secret |
| 3 | TLS mechanism |
Since Trino has internal and external communications running over a single port, this will enable the HTTPS port but not expose it. Cluster access is only possible via HTTP.
./trino.jar --debug --server http://172.18.0.3:31748 --user=admin