Comments (3)
Hi @Consultante-yr, I assume you still need kerberos in your coordinator which protects your presto cluster. To disable the internal authentication with kerberos, you only need to remove internal-communication.kerberos.enabled
on your coordinator and works. And for workers, since they talk to the coordinator over unauthenticated HTTP, you don't need the following kerberos settings:
http-server.authentication.type
http.server.authentication.krb5.service-name
http.server.authentication.krb5.keytab
http.authentication.krb5.config
from presto.
The following suggestion is based on the assumption that you want to disable the Kerberos between the coordinator and workers but still enable Kerberos on the Presto UI:
In the coordinator:
coordinator=true
discovery-server.enabled=true
node-scheduler.include-coordinator=falsediscovery.uri=https://coordinator.domaine.com:8443
Change discovery.uri
to http://coordinator.domaine.com:8080
to use HTTP between the coordinator and workers. Pick a port number you can use on the coordinator and make sure all workers use the same discovery.uri
http-server.authentication.type=PASSWORD,KERBEROS
http.server.authentication.krb5.service-name=prestodb
http.server.authentication.krb5.keytab=/etc/prestodb.keytab
http.authentication.krb5.config=/etc/krb5.conf
internal-communication.kerberos.enabled=true
Change internal-communication.kerberos.enabled
to false
to disable the kerberos between the coordinator and workers. Or you can comment out this setting.
---- ssl/tls
http-server.https.enabled=true
http-server.https.port=8443
http-server.https.keystore.path=/etc/prestodb.jks
http-server.https.keystore.key=xxxxxxx
http-server.http.enabled=false
You still need HTTP server, so set this value to true
: http-server.http.enabled=true
and assign a port number which matches the port number you use in the discovery.uri
For example:
http-server.http.port=8080
internal-communication.https.required=true
Set internal-communication.https.required
to false
and comment out the following two settings
#internal-communication.https.keystore.path=/etc/prestodb.jks
#internal-communication.https.keystore.key=xxxxx
Make sure the two settings above are commented out
====================================================
In the workers:
coordinator=false
--- discovery server
discovery.uri=https://coordinator.domaine.com:8443
Change to HTTP protocol and use the value from the coordinator. i.e: discovery.uri=http://coordinator.domaine.com:8080
Then comment out the following settings:
#http-server.authentication.type=PASSWORD,KERBEROS
#http.server.authentication.krb5.service-name=prestodb
#http.server.authentication.krb5.keytab=/etc/prestodb.keytab
#http.authentication.krb5.config=/etc/krb5.conf
#internal-communication.kerberos.enabled=false#http-server.https.enabled=true
#http-server.https.port=8443
#http-server.https.keystore.path=/etc/prestodb.jks
#http-server.https.keystore.key=keystore_password=xxxxxx
#http-server.http.enabled=false
#internal-communication.https.required=true
#internal-communication.https.keystore.path=/etc/prestodb.jks
#internal-communication.https.keystore.key=xxxx
finally, you still need to set up http-server.http.port
in the workers. i.e: http-server.http.port=8080
as long as the port number is available on the workers. Of course, each worker can use different port.
Again, I assume that you only want the Kerberos on the presto UI but no HTTPS and no Kerberos between the coordinator and workers.
from presto.
Hello @yhwang,
Thank you for your response.
But when i removed internal-communication.kerberos.enabled on the coordinator, i get 0 active workers and in the log i encounter this error:
"WARN http-client-node-manager-56 com.facebook.presto.metadata.RemoteNodeState Error fetching node state from https://coordinator.domaine.com:8443/v1/info/state returned status 401: Unauthorized"
This is my file config in coordinator:
--- Im a coordinator
coordinator=true
discovery-server.enabled=true
node-scheduler.include-coordinator=false
---- discovery server
discovery.uri=https://coordinator.domaine.com:8443
http-server.authentication.type=PASSWORD,KERBEROS
http.server.authentication.krb5.service-name=prestodb
http.server.authentication.krb5.keytab=/etc/prestodb.keytab
http.authentication.krb5.config=/etc/krb5.conf
internal-communication.kerberos.enabled=true
---- ssl/tls
http-server.https.enabled=true
http-server.https.port=8443
http-server.https.keystore.path=/etc/prestodb.jks
http-server.https.keystore.key=xxxxxxx
http-server.http.enabled=false
internal-communication.https.required=true
internal-communication.https.keystore.path=/etc/prestodb.jks
internal-communication.https.keystore.key=xxxxx
---- config query
query.client.timeout=120.00m
query.max-memory=4GB
query.max-memory-per-node=4GB
query.max-total-memory=4GB
query.max-total-memory-per-node=4GB
node-scheduler.network-topology=flat
And when i tried also to remove internal-communication.kerberos.enabled in the workers,
I get this error:
" ERROR Announcer-0 io.airlift.discovery.client.Announcer Cannot connect to discovery server for announce: Announcement failed with status code 401:
2024-02-07T15:54:49.126Z ERROR Announcer-0 io.airlift.discovery.client.Announcer Service announcement failed after 51.13ms. Next request will happen within 0.00s"
This is my file config in Workers:
--- Im a worker
coordinator=false
--- discovery server
discovery.uri=https://coordinator.domaine.com:8443
http-server.authentication.type=PASSWORD,KERBEROS
http.server.authentication.krb5.service-name=prestodb
http.server.authentication.krb5.keytab=/etc/prestodb.keytab
http.authentication.krb5.config=/etc/krb5.conf
internal-communication.kerberos.enabled=false
---- ssl/tls
http-server.https.enabled=true
http-server.https.port=8443
http-server.https.keystore.path=/etc/prestodb.jks
http-server.https.keystore.key=keystore_password=xxxxxx
http-server.http.enabled=false
internal-communication.https.required=true
internal-communication.https.keystore.path=/etc/prestodb.jks
internal-communication.https.keystore.key=xxxx
---- config query
query.client.timeout=120.00m
query.max-memory=2GB
query.max-memory-per-node=1GB
query.max-total-memory=4GB
query.max-total-memory-per-node=1GB
node-scheduler.network-topology=flat
exchange.http-client.request-timeout=20s
And for workers, they communicate with the coordinator over HTTPS. I prefer to maintain HTTPS, as changing, it would require adjusting all configurations under load balancers.
Any Suggestions, please?
Thank you in advance,
Best Regards,
from presto.
Related Issues (20)
- Presto Alluxio sdk Cache issue for file changes of the same s3 URI HOT 2
- "Commit standards" link in CONTRIBUTING.md are broken
- Support WAP workflows in Iceberg connector
- Support time travel range queries ( FROM/TO , BETWEEN/AND)
- Add DDL statements to create Iceberg branches and tags
- Add DDL statements to drop branches and tags
- Add support for querying branches and tags in Iceberg
- Add support for mutating an Iceberg branch
- TestHudiIntegration test failures in pipeline
- Add support for fast forwarding branches
- Exclude Omnigraffle files from license checks HOT 2
- Inserting values into a table with only one column of RowType would fail
- map_top_n returns wrong results if NaN appears in the input HOT 3
- Hide runtime stats from Presto CLI in debug mode
- Add histogram statistic type
- LIKE expressions with initial and ending % do not work on char columns HOT 3
- Presto starting with discovery service failure HOT 2
- [native] Disable hive.partial_aggregation_pushdown_enabled HOT 3
- Hive service failed to start with error java.lang.NumberFormatException when running: ./schematool -initSchema -dbType derby HOT 1
- OrcBatchPageSourceFactory catches raw java.lang.Exception
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from presto.