Trino开启ldap认证
1、背景
由于对于安全监管的要求,需要对trino服务开启安全认证体系。
2、基于私有证书的https
keytool -genkeypair -validity 36500 -ext SAN=IP:172.16.104.226,DNS:hd1.dtstack.com -alias trino -keypass admin@123 -storepass admin@123 -keyalg RSA -dname CN=hd1.dtstack.com,OU=,O=,L=,ST=,C= -keystore trino.jks keytool -export -rfc -keystore trino.jks --alias trino -file trino.pem
生成证书,复制到/opt/applications/trino/current/etc
3、修改配置文件
config.properties
vim config.properties #添加以下内容 vim config.properties http-server.https.enabled=true http-server.https.port=8443 http-server.https.keystore.path=/opt/trino/etc/trino.jks http-server.https.keystore.key=admin@123 internal-communication.shared-secret=abc123 internal-communication.https.required=true http-server.https.secure-random-algorithm=SHA1PRNG http-server.authentication.allow-insecure-over-http=true #ad http-server.authentication.type=PASSWORD
password-authenticator.properties
password-authenticator.name=ldap
ldap.url=ldap://172.16.105.69:389
#多ou,使用:作为分隔符
ldap.user-base-dn=CN=Users,DC=fzcdh,DC=com:OU=owner1,DC=fzcdh,DC=com
ldap.user-bind-pattern=${USER}@fzcdh.com
ldap.allow-insecure=true
4、客户端验证
trino-cli --server https://hd1.dtstack.com:8443 --keystore-path /opt/trino/etc/trino.jks --keystore-password admin@123 --catalog hive --user test --password
