Comments (3)
yhwang
commented on May 27, 2024
1
Hi @Consultante-yr, I assume you still need kerberos in your coordinator which protects your presto cluster. To disable the internal authentication with kerberos, you only need to remove internal-communication.kerberos.enabled on your coordinator and works. And for workers, since they talk to the coordinator over unauthenticated HTTP, you don't need the following kerberos settings:
http-server.authentication.typehttp.server.authentication.krb5.service-namehttp.server.authentication.krb5.keytabhttp.authentication.krb5.config
from presto.
yhwang
commented on May 27, 2024
1
The following suggestion is based on the assumption that you want to disable the Kerberos between the coordinator and workers but still enable Kerberos on the Presto UI:
In the coordinator:
coordinator=true
discovery-server.enabled=true
node-scheduler.include-coordinator=falsediscovery.uri=https://coordinator.domaine.com:8443
Change discovery.uri to http://coordinator.domaine.com:8080 to use HTTP between the coordinator and workers. Pick a port number you can use on the coordinator and make sure all workers use the same discovery.uri
http-server.authentication.type=PASSWORD,KERBEROS
http.server.authentication.krb5.service-name=prestodb
http.server.authentication.krb5.keytab=/etc/prestodb.keytab
http.authentication.krb5.config=/etc/krb5.conf
internal-communication.kerberos.enabled=true
Change internal-communication.kerberos.enabled to false to disable the kerberos between the coordinator and workers. Or you can comment out this setting.
---- ssl/tls
http-server.https.enabled=true
http-server.https.port=8443
http-server.https.keystore.path=/etc/prestodb.jks
http-server.https.keystore.key=xxxxxxx
http-server.http.enabled=false
You still need HTTP server, so set this value to true: http-server.http.enabled=true
and assign a port number which matches the port number you use in the discovery.uri
For example:
http-server.http.port=8080
internal-communication.https.required=true
Set internal-communication.https.required to false and comment out the following two settings
#internal-communication.https.keystore.path=/etc/prestodb.jks
#internal-communication.https.keystore.key=xxxxx
Make sure the two settings above are commented out
====================================================
In the workers:
coordinator=false
--- discovery server
discovery.uri=https://coordinator.domaine.com:8443
Change to HTTP protocol and use the value from the coordinator. i.e: discovery.uri=http://coordinator.domaine.com:8080
Then comment out the following settings:
#http-server.authentication.type=PASSWORD,KERBEROS
#http.server.authentication.krb5.service-name=prestodb
#http.server.authentication.krb5.keytab=/etc/prestodb.keytab
#http.authentication.krb5.config=/etc/krb5.conf
#internal-communication.kerberos.enabled=false#http-server.https.enabled=true
#http-server.https.port=8443
#http-server.https.keystore.path=/etc/prestodb.jks
#http-server.https.keystore.key=keystore_password=xxxxxx
#http-server.http.enabled=false
#internal-communication.https.required=true
#internal-communication.https.keystore.path=/etc/prestodb.jks
#internal-communication.https.keystore.key=xxxx
finally, you still need to set up http-server.http.port in the workers. i.e: http-server.http.port=8080 as long as the port number is available on the workers. Of course, each worker can use different port.
Again, I assume that you only want the Kerberos on the presto UI but no HTTPS and no Kerberos between the coordinator and workers.
from presto.
Consultante-yr
commented on May 27, 2024
Hello @yhwang,
Thank you for your response.
But when i removed internal-communication.kerberos.enabled on the coordinator, i get 0 active workers and in the log i encounter this error:
"WARN http-client-node-manager-56 com.facebook.presto.metadata.RemoteNodeState Error fetching node state from https://coordinator.domaine.com:8443/v1/info/state returned status 401: Unauthorized"
This is my file config in coordinator:
--- Im a coordinator
coordinator=true
discovery-server.enabled=true
node-scheduler.include-coordinator=false
---- discovery server
discovery.uri=https://coordinator.domaine.com:8443
http-server.authentication.type=PASSWORD,KERBEROS
http.server.authentication.krb5.service-name=prestodb
http.server.authentication.krb5.keytab=/etc/prestodb.keytab
http.authentication.krb5.config=/etc/krb5.conf
internal-communication.kerberos.enabled=true
---- ssl/tls
http-server.https.enabled=true
http-server.https.port=8443
http-server.https.keystore.path=/etc/prestodb.jks
http-server.https.keystore.key=xxxxxxx
http-server.http.enabled=false
internal-communication.https.required=true
internal-communication.https.keystore.path=/etc/prestodb.jks
internal-communication.https.keystore.key=xxxxx
---- config query
query.client.timeout=120.00m
query.max-memory=4GB
query.max-memory-per-node=4GB
query.max-total-memory=4GB
query.max-total-memory-per-node=4GB
node-scheduler.network-topology=flat
And when i tried also to remove internal-communication.kerberos.enabled in the workers,
I get this error:
" ERROR Announcer-0 io.airlift.discovery.client.Announcer Cannot connect to discovery server for announce: Announcement failed with status code 401:
2024-02-07T15:54:49.126Z ERROR Announcer-0 io.airlift.discovery.client.Announcer Service announcement failed after 51.13ms. Next request will happen within 0.00s"
This is my file config in Workers:
--- Im a worker
coordinator=false
--- discovery server
discovery.uri=https://coordinator.domaine.com:8443
http-server.authentication.type=PASSWORD,KERBEROS
http.server.authentication.krb5.service-name=prestodb
http.server.authentication.krb5.keytab=/etc/prestodb.keytab
http.authentication.krb5.config=/etc/krb5.conf
internal-communication.kerberos.enabled=false
---- ssl/tls
http-server.https.enabled=true
http-server.https.port=8443
http-server.https.keystore.path=/etc/prestodb.jks
http-server.https.keystore.key=keystore_password=xxxxxx
http-server.http.enabled=false
internal-communication.https.required=true
internal-communication.https.keystore.path=/etc/prestodb.jks
internal-communication.https.keystore.key=xxxx
---- config query
query.client.timeout=120.00m
query.max-memory=2GB
query.max-memory-per-node=1GB
query.max-total-memory=4GB
query.max-total-memory-per-node=1GB
node-scheduler.network-topology=flat
exchange.http-client.request-timeout=20s
And for workers, they communicate with the coordinator over HTTPS. I prefer to maintain HTTPS, as changing, it would require adjusting all configurations under load balancers.
Any Suggestions, please?
Thank you in advance,
Best Regards,
from presto.
Related Issues (20)
- Presto Alluxio sdk Cache issue for file changes of the same s3 URI HOT 2
- "Commit standards" link in CONTRIBUTING.md are broken
- Support WAP workflows in Iceberg connector
- Support time travel range queries ( FROM/TO , BETWEEN/AND)
- Add DDL statements to create Iceberg branches and tags
- Add DDL statements to drop branches and tags
- Add support for querying branches and tags in Iceberg
- Add support for mutating an Iceberg branch
- TestHudiIntegration test failures in pipeline
- Add support for fast forwarding branches
- Exclude Omnigraffle files from license checks HOT 2
- Inserting values into a table with only one column of RowType would fail
- map_top_n returns wrong results if NaN appears in the input HOT 3
- Hide runtime stats from Presto CLI in debug mode
- Add histogram statistic type
- LIKE expressions with initial and ending % do not work on char columns HOT 3
- Presto starting with discovery service failure HOT 2
- [native] Disable hive.partial_aggregation_pushdown_enabled HOT 3
- Hive service failed to start with error java.lang.NumberFormatException when running: ./schematool -initSchema -dbType derby HOT 1
- OrcBatchPageSourceFactory catches raw java.lang.Exception
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from presto.