Simplifying User Access in Presto with File-Based Authentication

February 21, 2019 by

Presto provides enterprise-grade user authentication mechanisms like LDAP and Kerberos, but a lot of users do no want to go through the complexity of setting up LDAP or Kerberos and would rather have a simpler user authentication mechanism. For such users, Qubole Presto has implemented file-based authentication, where the usernames and passwords are provided to Presto through a file which contains user credentials in a standard format and users submitting the query are authenticated using this information.

For additional security, the passwords taken as input in user:password pairs do not support plain text passwords; only hashed passwords are supported. MD5, SHA1, Crypt, and BCrypt hashing algorithms are supported — we recommend using MD5 and BCrypt.

Configuring Filed-Based Authentication

The following configuration needs to be set up in Presto to enable file-based authentication:

  1. config.properties needs to configure FILE as the authentication type and provide the location of the file that contains all valid pairs of user:password. For example, the following goes into config.properties:
    http-server.authentication.type=FILE
    authentication.filebased.config-file=/usr/lib/presto/etc/file_auth
  2. The password file, which has pairs of user:password, e.g.:
    > cat /usr/lib/presto/etc/file_auth
    ankit:$apr1$bCW.IjMe$5/44.P9lNhklw6i54IXoY.
    raunaq:{SHA}bWdU2ejuS1lWa0mv11TR2YAoOzs=
    sanchit:EY8ULaXsqebTI
    punith:$2y$05$/.QHkz9ytxOWwvcE5zMt7O0fabySUNcdKMqVmJpqTOGIRdFfjlSey

In the example below, there are four users:

  1. ankit: This user’s password is hashed using MD5 and the hashed value is stored as $apr1$bCW.IjMe$5/44.P9lNhklw6i54IXoY.
  2. raunaq: This user’s password is hashed using SHA1 algorithm
  3. sanchit: This user’s password is hashed using Crypt algorithm
  4. punith: This user’s password is hashed using BCrypt algorithm

These configurations can be configured in QDS under Presto Settings in Edit Cluster page:

Refer to QDS documentation to understand how to write custom Presto configurations in QDS.

Apart from configuring file-based authentication, Presto should also be configured to use HTTPS, as HTTP is not secure enough to transmit passwords over wire. Hence, Presto clients allow the transmission of passwords only when communicating over HTTPS. Usually, enabling HTTPS requires users to create certificates and configuring nodes to use them as mentioned in ldap documentation. However, QDS users just need to contact [email protected] to enable HTTPS for their clusters, and Qubole takes care of generating certificates, setting up Presto to use them, etc.

Generating a Password File

The password file containing username:password pairs is generated using standard htpasswd utility, which uses the following syntax:

  • Generate MD5 encrypted passwords using `htpasswd -n <UserName>`
  • SHA1: Generate SHA1 encrypted passwords using `htpasswd -n -s <UserName>`
  • BCrypt: Generate bcrypt-based password using `htpasswd -n -B <UserName>`
  • Generate Crypt algorithm-based password using `htpasswd -n -d <UserName>`

Refer to the htpasswd documentation for all the supported options.

While running a Presto client, each user gives their actual password and not the hashed password (e.g. user1 would set username=ankit and password=myPassword). The authentication system will detect that the given password of user1 in user:password file is MD5 hashed (using the suffix in password), calculate the MD5 hash of entered password and compare the two hashes to authenticate user1.

Client Authentication

Users can submit queries to the master node of a Qubole Presto cluster in two ways:

  1. Via Qubole Data Service (QDS) UI/API/ Qubole ODBC/JDBC Drivers
    In this case, there is no impact to users after enabling file-based authentication. QDS takes care of authenticating users and communicating with the Presto Server over HTTPS instead of HTTP.
  2. Via open source clients like JAVA client, Ruby client, JDBC/ODBC Drivers
    In this case, QDS middleware is bypassed and the file-based authentication system is used to authenticate the users. Users migrating from contacting an insecure Presto Server to a Presto Server using the File-Based Authentication system need to take care of the following changes:

    1. Presto Server will now be accessible over HTTPS and on port 8443.
    2. Username and passwords are mandatory

For example, the JDBC URL to contact insecure Presto Server changes from
jdbc:presto://example.net:8080/hive/sales
to
jdbc:presto://example.net:8443/hive/sales?user=test&password=secret&SSL=true

A file-based authentication system provides a simpler way to authenticate users in Presto without extensive investment in hosting LDAP or Kerberos services. Qubole released file-based authentication as a Beta feature in June 2018, and it was released for GA use in September 2018 with QDS Presto versions 0.180 and above supporting it.

If you want to try out this feature in Qubole Presto, set up your cluster with the configuration as mentioned in this blog and reach out to [email protected] to enable HTTPS on your cluster, then you should be good to go.

  • Blog Subscription

    Get the latest updates on all things big data.
  • Recent Posts

  • Categories

  • Events

    Bay Area DataFest

    May. 23, 2019 | Sunnyvale, CA

    Executive Roundtable

    Jun. 4, 2019 | Portland, OR

    The Qubole Cricket Challenge – Combining Data Engineering & Cricket Into One Interactive Workshop

    Jun. 5, 2019 | London, UK

    Executive Roundtable

    Jun. 5, 2019 | Seattle, WA

    The Qubole Cricket Challenge – Combining Data Engineering & Cricket Into One Interactive Workshop

    Jun. 12, 2019 | London, UK

    Executive Roundtable

    Jun. 13, 2019 | Austin, TX