presto + Hive Security Configuration

0
votes

we have presto cluster with Hadoop cluster when all presto workers servers are installed on data-nodes machines

The following is example of a Hive Connector configuration file that is configured on the presto workers under catalog folder

connector.name=hive-hadoop2
hive.metastore.uri=thrift://metastore-node:9083

we want to know what are the risks , when the access from each of the presto workers isn't secured to hive metastore machine

as we understand presto worker/s are connect to hive meta-store by using thrift protocol and port 9083

but not clearly how presto-worker perform the authentication against the hive meta-store?

We'll appreciate to get more details about - how presto workers access to hive meta-store without hive secured and with hive secured

reference - https://docs.starburstdata.com/302-e/connector/hive-security.html

1
hivethriftprestohive-metastorestarburst

1 Answers

1
votes

Hive metastore provides can be configured:

  • not to use authentication (trust user identity provided by the caller)
  • to use Kerberos authentication.

Both these modes are supported in Presto.

The basic mode (no auth) requires no additional configuration properties.

For the Kerberos authentication you need to set

hive.metastore.authentication.type=KERBEROS
hive.metastore.service.principal=...
hive.metastore.client.principal=...
hive.metastore.client.keytab=...

See full example & more at https://docs.starburstdata.com/latest/connector/hive-security.html#example-configuration-with-kerberos-authentication

If you need further help, you can get it on #troubleshooting channel on Trino (formerly Presto SQL) community slack.