kerberos auth documentation

Question

kerberos auth documentation

parisni opened this issue 7 years ago · comments

Nicolas Paris commented 7 years ago

hi there

Any example in the documentation on how to connect to a kerberized presto coordinator
from your lib ?

thanks by advance

James Sun · Answer 1 · Wed Dec 20 2017 14:27:52 GMT+0800 (China Standard Time)

Try something like this

import requests_kerberos

KRB5_CONFIG = "/etc/krb5-thrift.conf"
CA_BUNDLE = "/etc/pki/tls/certs/fb_certs.pem"

_auth = KerberosAuthentication(
    config=KRB5_CONFIG,
    service_name=COORDINATOR_KRB5_SERVICE_NAME,
    mutual_authentication=requests_kerberos.DISABLED,
    ca_bundle=CA_BUNDLE,
)

Then make a new connection with _auth

tommarute · Answer 2 · Thu Dec 21 2017 19:39:09 GMT+0800 (China Standard Time)

@highker

Thank you for your comment. I tried it. But I saw an error in below.

NameError: name 'KerberosAuthentication' is not defined

requests-kerberos doesn't seems to have KerberosAuthentication.

You mean use this?

Best regards,

tommarute · Answer 3 · Thu Dec 21 2017 19:53:51 GMT+0800 (China Standard Time)

I'm sorry. I can import in this way.

from prestodb.auth import KerberosAuthentication

92chabuduo · Answer 4 · Mon Feb 05 2018 10:01:15 GMT+0800 (China Standard Time)

@tommarute. can you show an complete example of how to use '_auth' above, Thanks.

tommarute · Answer 5 · Tue Feb 06 2018 23:07:57 GMT+0800 (China Standard Time)

@92chabuduo

Hi

I'm sorry to say that I haven't been able to run kerberos auth by using this client.

~~My sample code is here.~~
~~It doesn't work.~~

~~So I changed presto client from prestodb to pyhive.~~

~~FWIW, This is pyhive sample code.~~
~~It works.~~

Thanks.

Nicolas Paris · Answer 6 · Wed Feb 07 2018 01:00:20 GMT+0800 (China Standard Time)

@tommarute are you sure your pyhive code is using kerberos ? I cannot find any mention of kerberos token in it

tommarute · Answer 7 · Wed Feb 07 2018 08:55:58 GMT+0800 (China Standard Time)

@parisni
You're completely right.
It seems that our presto doesn't require Kerberos authentication.
I'm sorry for the confusion.

jacibreiro · Answer 8 · Wed Jan 09 2019 18:32:19 GMT+0800 (China Standard Time)

Does anyone have authentication against kerberized presto-coordinator working? Could you provide any example? This is my example code:

import prestodb
from prestodb.auth import KerberosAuthentication

KRB5_CONFIG = "/etc/krb5.conf"
CA_BUNDLE = "/etc/ca-chain.crt"

_auth = KerberosAuthentication(
config=KRB5_CONFIG,
service_name='HTTP',
mutual_authentication=False,
ca_bundle=CA_BUNDLE
)

conn=prestodb.dbapi.connect(
host='presto-coordinator.test.gl',
port=7778,
catalog='tpch',
schema='information_schema',
http_scheme='https',
auth=_auth,
)

cur = conn.cursor()
cur.execute('SHOW tables')
rows = cur.fetchall()

It doesn't work although I have a valid kerberos ticket for the user who is sending the request. I obtain a 401 (Unauthorized).

jacibreiro · Answer 9 · Thu Jan 10 2019 23:35:22 GMT+0800 (China Standard Time)

If somebody is interested, above code works. The problem was that the user running the code didn't have permission over the keytab. It is already solved.

Vico.Wu · Answer 10 · Fri Apr 19 2019 21:34:09 GMT+0800 (China Standard Time)

@jacibreiro Great thanks for your code example;
My python version is 2.7.16 and I cannot connect to my kerberized presto server , although my java-based client could connect to it successfully.
My Code sample is :

  _auth = KerberosAuthentication(
       config=KRB5_CONFIG,
       service_name='presto',
       principal='bdi.prod@TEST.SERVER.HULU.COM',
       mutual_authentication=False,
       ca_bundle=CA_BUNDLE,
   )
   conn=prestodb.dbapi.connect(
       host='presto.server.hulu.com',
       port=7778,
       catalog='hive',
       schema='information_schema',
       http_scheme='https',
       auth=_auth,
       max_attempts=1,
   )
   cur = conn.cursor()
   cur.execute('SHOW tables')
   rows = cur.fetchall()

The error is:

Traceback (most recent call last):
  File "/Users/chang.wu/work/workspace/hulu-github-src/hadoop-security/code-layer-verification/src/main/java/com/hulu/security/presto/PrestoPythonClient.py", line 39, in <module>
    cur.execute('SHOW tables')
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/prestodb/dbapi.py", line 228, in execute
    result = self._query.execute()
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/prestodb/client.py", line 520, in execute
    response = self._request.post(self._sql)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/prestodb/client.py", line 347, in post
    proxies=PROXIES,
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/requests/sessions.py", line 581, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='presto.server.hulu.com', port=7778): Max retries exceeded with url: /v1/statement (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)'),))

Process finished with exit code 1

Anyone could provide me some clues?
I am quite sure that kerberized presto server is fine.

Greg Leclercq · Answer 11 · Tue May 07 2019 03:11:15 GMT+0800 (China Standard Time)

@VicoWu the HTTPS request fails to verify the SSL certificate. That seems unrelated to kerberos because it happens in the requests HTTP client library and not in Presto. Are you sure you CA_BUNDLE and Presto server certificate are valid?

Antonios Hadjigeorgalis · Answer 12 · Mon Jul 29 2019 02:37:17 GMT+0800 (China Standard Time)

In the environment I am using, the suggested server to use was a load balancer which did not work with this client. The following code sample worked when the server was a coordinator, and I downloaded the cert directly from this server with command in the code comment. The presto web ui was available at this same url at https://SERVER:PORT/ui

this code sample worked for me on both MAC OSX, and linux.

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import prestodb
import os

"""
turn on kinit debugging info with: export KRB5_TRACE=/dev/stderr

get cert file from server with:
echo -n | openssl s_client -showcerts -connect SERVER:PORT  > file.pem
"""

server = {
    'host': 'presto-coordinator.or.ui.server',
    'port': 8443,
    'ca_bundle':  './your-pem-file.pem',
    }

conn = prestodb.dbapi.connect(
    http_scheme='https',
    host=server['host'],
    port=server['port'],
    user=os.environ['USER'],
    catalog='system',
    auth=prestodb.auth.KerberosAuthentication(
        config='/etc/krb5.conf',
        service_name='presto',
        principal='{}@YOUR.DEFAULT.REALM'.format(os.environ['USER']),
        ca_bundle=server['ca_bundle']
        )
)
cursor = conn.cursor()
cursor.execute('SELECT * FROM system.runtime.nodes')
for row in cursor.fetchall():
    print(row)

ngupta1986 · Answer 13 · Tue Oct 06 2020 13:14:12 GMT+0800 (China Standard Time)

If somebody is interested, above code works. The problem was that the user running the code didn't have permission over the keytab. It is already solved.

i am getting a 401 unauthorized issues. Could you please let me know what do you mean by didnt have permission over keytab? what permission we need for the user?