prestodb · anusudarsan · Oct 25, 2016 · Oct 18, 2016 · Oct 27, 2016 · Oct 18, 2016
@@ -21,6 +21,7 @@ env:
     - PRODUCT_TESTS_BASIC_ENVIRONMENT=true
     - PRODUCT_TESTS_SPECIFIC_ENVIRONMENT=true
     - PRODUCT_TESTS_SPECIFIC_ENVIRONMENT_2=true
+    - PRODUCT_TESTS_SPECIFIC_ENVIRONMENT_3=true
     - HIVE_TESTS=true
 
 sudo: required
@@ -44,7 +45,7 @@ install:
       ./mvnw install $MAVEN_FAST_INSTALL -pl '!presto-docs,!presto-server,!presto-server-rpm'
     fi
   - |
-    if [[ -v PRODUCT_TESTS_BASIC_ENVIRONMENT || -v PRODUCT_TESTS_SPECIFIC_ENVIRONMENT || -v PRODUCT_TESTS_SPECIFIC_ENVIRONMENT_2 ]]; then
+    if [[ -v PRODUCT_TESTS_BASIC_ENVIRONMENT || -v PRODUCT_TESTS_SPECIFIC_ENVIRONMENT || -v PRODUCT_TESTS_SPECIFIC_ENVIRONMENT_2 || PRODUCT_TESTS_SPECIFIC_ENVIRONMENT_3 ]]; then
       ./mvnw install $MAVEN_FAST_INSTALL -pl '!presto-docs,!presto-server-rpm'
     fi
   - |
@@ -120,7 +121,7 @@ script:
 #        singlenode-sqlserver -g sqlserver
 #    fi
   - |
-    if [[ -v PRODUCT_TESTS_SPECIFIC_ENVIRONMENT_2 ]]; then
+    if [[ -v PRODUCT_TESTS_SPECIFIC_ENVIRONMENT_3 ]]; then
       presto-product-tests/bin/run_on_docker.sh \
         multinode-tls -g smoke,cli,group-by,join,tls
     fi
@@ -139,10 +140,14 @@ script:
       presto-product-tests/bin/run_on_docker.sh \
         singlenode-cassandra -g cassandra
     fi
-    if [[ -v PRODUCT_TESTS_SPECIFIC_ENVIRONMENT ]]; then
+    if [[ -v PRODUCT_TESTS_SPECIFIC_ENVIRONMENT_3 ]]; then
       presto-product-tests/bin/run_on_docker.sh \
         multinode-tls-kerberos -g cli,group-by,join,tls
     fi
+    if [[ -v PRODUCT_TESTS_SPECIFIC_ENVIRONMENT_3 ]]; then
+      presto-product-tests/bin/run_on_docker.sh \
+        multinode-tls-ldap -g cli,group-by,join,tls
+    fi
   - |
     if [[ -v PRODUCT_TESTS_SPECIFIC_ENVIRONMENT_2 ]]; then
       presto-product-tests/bin/run_on_docker.sh \

@@ -87,7 +87,10 @@ public class ClientOptions
     public String user = System.getProperty("user.name");
 
     @Option(name = "--password", title = "password", description = "Prompt for password")
-    public boolean password;
+    public boolean showPasswordPrompt;
+
+    @Option(name = "-P", hidden = true)
+    public String password;
 
     @Option(name = "--source", title = "source", description = "Name of source making query")
     public String source = "presto-cli";

@@ -130,7 +130,7 @@ public boolean run()
                 Optional.ofNullable(clientOptions.truststorePassword),
                 Optional.ofNullable(clientOptions.accessToken),
                 Optional.ofNullable(clientOptions.user),
-                clientOptions.password ? Optional.of(getPassword()) : Optional.empty(),
+                getPassword(),
                 Optional.ofNullable(clientOptions.krb5Principal),
                 Optional.ofNullable(clientOptions.krb5RemoteServiceName),
                 Optional.ofNullable(clientOptions.krb5ConfigPath),
@@ -150,7 +150,15 @@ public boolean run()
         }
     }
 
-    private String getPassword()
+    private Optional<String> getPassword()
+    {
+        if (clientOptions.showPasswordPrompt) {
+            return Optional.ofNullable(promptPassword());
+        }
+        return Optional.ofNullable(clientOptions.password);
+    }
+
+    private String promptPassword()
     {
         checkState(clientOptions.user != null, "Username must be specified along with password");
         String defaultPassword = System.getenv("PRESTO_PASSWORD");

@@ -14,6 +14,10 @@ Every node in the cluster must be configured. Nodes that have not been
 configured, or are configured incorrectly, will not be able to communicate with
 other nodes in the cluster.
 
+.. note::
+
+    Internal SSL/TLS communication with LDAP requires an additional LDAP service user for internal communication.
+
 To enable SSL/TLS for Presto internal communication, do the following:
 
 1. Disable HTTP endpoint.
@@ -112,6 +116,13 @@ To enable SSL/TLS for Presto internal communication, do the following:
         internal-communication.https.keystore.path=<keystore path>
         internal-communication.https.keystore.key=<keystore password>
 
+9. If the :doc:`LDAP</security/ldap>` authentication is enabled, specify valid LDAP
+   credentials for the internal communication.
+
+    .. code-block:: none
+
+        internal-communication.ldap.username=<internal communication user>
+        internal-communication.ldap.password=<internal communication password>
 
 Internal SSL/TLS communication with Kerberos
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

@@ -19,12 +19,15 @@
 public class InternalCommunicationConfig
 {
     public static final String INTERNAL_COMMUNICATION_KERBEROS_ENABLED = "internal-communication.kerberos.enabled";
+    public static final String INTERNAL_COMMUNICATION_LDAP_PASSWORD = "internal-communication.ldap.password";
 
     private boolean httpsRequired;
     private String keyStorePath;
     private String keyStorePassword;
     private boolean kerberosEnabled;
     private boolean kerberosUseCanonicalHostname = true;
+    private String internalLdapCommunicationUser;
+    private String internalLdapCommunicationPassword;
 
     public boolean isHttpsRequired()
     {
@@ -86,4 +89,28 @@ public InternalCommunicationConfig setKerberosUseCanonicalHostname(boolean kerbe
         this.kerberosUseCanonicalHostname = kerberosUseCanonicalHostname;
         return this;
     }
+
+    public String getInternalLdapCommunicationUser()
+    {
+        return internalLdapCommunicationUser;
+    }
+
+    @Config("internal-communication.ldap.username")
+    public InternalCommunicationConfig setInternalLdapCommunicationUser(String internalLdapCommunicationUser)
+    {
+        this.internalLdapCommunicationUser = internalLdapCommunicationUser;
+        return this;
+    }
+
+    public String getInternalLdapCommunicationPassword()
+    {
+        return internalLdapCommunicationPassword;
+    }
+
+    @Config(INTERNAL_COMMUNICATION_LDAP_PASSWORD)
+    public InternalCommunicationConfig setInternalLdapCommunicationPassword(String internalLdapCommunicationPassword)
+    {
+        this.internalLdapCommunicationPassword = internalLdapCommunicationPassword;
+        return this;
+    }
 }
@@ -16,6 +16,7 @@
 import com.google.inject.Binder;
 import com.google.inject.Module;
 import io.airlift.configuration.AbstractConfigurationAwareModule;
+import io.airlift.http.client.BasicAuthRequestFilter;
 import io.airlift.http.client.HttpClientConfig;
 import io.airlift.http.client.spnego.KerberosConfig;
 
@@ -25,10 +26,12 @@
 import java.util.Locale;
 
 import static com.facebook.presto.server.InternalCommunicationConfig.INTERNAL_COMMUNICATION_KERBEROS_ENABLED;
+import static com.facebook.presto.server.InternalCommunicationConfig.INTERNAL_COMMUNICATION_LDAP_PASSWORD;
 import static com.facebook.presto.server.security.KerberosConfig.HTTP_SERVER_AUTHENTICATION_KRB5_KEYTAB;
 import static com.google.common.base.Verify.verify;
 import static io.airlift.configuration.ConditionalModule.installModuleIf;
 import static io.airlift.configuration.ConfigBinder.configBinder;
+import static io.airlift.http.client.HttpClientBinder.httpClientBinder;
 
 public class InternalCommunicationModule
         extends AbstractConfigurationAwareModule
@@ -42,6 +45,10 @@ protected void setup(Binder binder)
             config.setKeyStorePassword(internalCommunicationConfig.getKeyStorePassword());
         });
 
+        if (internalCommunicationConfig.getInternalLdapCommunicationUser() != null) {
+            verify(internalCommunicationConfig.getInternalLdapCommunicationPassword() != null, "%s must be set", INTERNAL_COMMUNICATION_LDAP_PASSWORD);
+            httpClientBinder(binder).bindGlobalFilter(new BasicAuthRequestFilter(internalCommunicationConfig.getInternalLdapCommunicationUser(), internalCommunicationConfig.getInternalLdapCommunicationPassword()));
+        }
         install(installModuleIf(InternalCommunicationConfig.class, InternalCommunicationConfig::isKerberosEnabled, kerberosInternalCommunicationModule()));
     }
 

@@ -125,6 +125,8 @@ elif [[ "$ENVIRONMENT" == "multinode-tls" ]]; then
    PRESTO_SERVICES="${PRESTO_SERVICES} presto-worker-1 presto-worker-2"
 elif [[ "$ENVIRONMENT" == "multinode-tls-kerberos" ]]; then
    PRESTO_SERVICES="${PRESTO_SERVICES} presto-worker-1 presto-worker-2"
+elif [[ "$ENVIRONMENT" == "multinode-tls-ldap" ]]; then
+   PRESTO_SERVICES="${PRESTO_SERVICES} presto-worker-1 presto-worker-2 ldapserver"
 fi
 
 # check docker and docker compose installation

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+SCRIPT_DIRECTORY=${BASH_SOURCE%/*}
+
+source ${SCRIPT_DIRECTORY}/../common/compose-commons.sh
+
+docker-compose \
+-f ${SCRIPT_DIRECTORY}/../common/standard.yml \
+-f ${SCRIPT_DIRECTORY}/docker-compose.yml \
+"$@"
@@ -0,0 +1,67 @@
+version: '2'
+services:
+
+  ldapserver:
+    image: 'prestodb/centos6-oj8-openldap:${DOCKER_IMAGES_VERSION}'
+
+  presto-master:
+    domainname: docker.cluster
+    hostname: presto-master
+    image: 'prestodb/centos6-oj8-openldap:${DOCKER_IMAGES_VERSION}'
+    command: /docker/volumes/conf/docker/files/presto-launcher-wrapper.sh multinode-tls-ldap-master run
+    extra_hosts:
+       - "${LDAP_SERVER_HOST}:${LDAP_SERVER_IP}"
+    ports:
+      - '7778:7778'
+    networks:
+      default:
+        aliases:
+         - presto-master.docker.cluster
+    depends_on:
+      - ldapserver
+    volumes:
+      - ../../../conf/presto/etc/multinode-ldap-authenticator.properties:/docker/volumes/conf/presto/etc/password-authenticator.properties
+
+  presto-worker-1:
+    domainname: docker.cluster
+    hostname: presto-worker-1
+    extends:
+      file: ../common/standard.yml
+      service: java-8-base
+    image: 'prestodb/centos6-oj8-openldap:${DOCKER_IMAGES_VERSION}'
+    command: /docker/volumes/conf/docker/files/presto-launcher-wrapper.sh multinode-tls-ldap-worker run
+    extra_hosts:
+       - "${LDAP_SERVER_HOST}:${LDAP_SERVER_IP}"
+    networks:
+      default:
+        aliases:
+         - presto-worker-1.docker.cluster
+    depends_on:
+      - presto-master
+    volumes_from:
+      - presto-master
+
+  presto-worker-2:
+    domainname: docker.cluster
+    hostname: presto-worker-2
+    extends:
+      file: ../common/standard.yml
+      service: java-8-base
+    image: 'prestodb/centos6-oj8-openldap:${DOCKER_IMAGES_VERSION}'
+    command: /docker/volumes/conf/docker/files/presto-launcher-wrapper.sh multinode-tls-ldap-worker run
+    extra_hosts:
+       - "${LDAP_SERVER_HOST}:${LDAP_SERVER_IP}"
+    networks:
+      default:
+        aliases:
+         - presto-worker-2.docker.cluster
+    depends_on:
+      - presto-master
+    volumes_from:
+      - presto-master
+
+  application-runner:
+    image: 'prestodb/centos6-oj8-openldap:${DOCKER_IMAGES_VERSION}'
+    environment:
+      - TEMPTO_PROFILE_CONFIG_FILE=/docker/volumes/conf/tempto/tempto-configuration-for-docker-tls-ldap.yaml
+      - CLI_ARGUMENTS=--server https://presto-master.docker.cluster:7778 --keystore-path /docker/volumes/conf/presto/etc/docker.cluster.jks --keystore-password 123456 --user admin -P admin
@@ -8,5 +8,5 @@
 com.facebook.presto=INFO
 com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory=WARN
 com.ning.http.client=DEBUG
-com.facebook.presto.server.PluginManager=DEBUG
+com.facebook.presto.server.PluginManager=INFO
 io.airlift.discovery.client=INFO
@@ -0,0 +1,16 @@
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+password-authenticator.name=ldap
+ldap.url=ldaps://ldapserver:636
+ldap.user-bind-pattern=cn=${USER},dc=presto,dc=testldap,dc=com
@@ -0,0 +1,32 @@
+#
+# WARNING
+# ^^^^^^^
+# This configuration file is for development only and should NOT be used be
+# used in production. For example configuration, see the Presto documentation.
+#
+
+node.id=will-be-overwritten
+node.environment=test
+node.internal-address-source=FQDN
+
+coordinator=true
+node-scheduler.include-coordinator=false
+discovery-server.enabled=true
+discovery.uri=https://presto-master.docker.cluster:7778
+
+query.max-memory=1GB
+query.max-memory-per-node=512MB
+
+http-server.http.enabled=false
+http-server.https.enabled=true
+http-server.https.port=7778
+http-server.https.keystore.path=/docker/volumes/conf/presto/etc/docker.cluster.jks
+http-server.https.keystore.key=123456
+
+http-server.authentication.type=PASSWORD
+
+internal-communication.https.required=true
+internal-communication.https.keystore.path=/docker/volumes/conf/presto/etc/docker.cluster.jks
+internal-communication.https.keystore.key=123456
+internal-communication.ldap.username=admin
+internal-communication.ldap.password=admin
@@ -0,0 +1,31 @@
+#
+# WARNING
+# ^^^^^^^
+# This configuration file is for development only and should NOT be used be
+# used in production. For example configuration, see the Presto documentation.
+#
+
+node.id=will-be-overwritten
+node.environment=test
+node.internal-address-source=FQDN
+
+coordinator=false
+discovery-server.enabled=false
+discovery.uri=https://presto-master.docker.cluster:7778
+
+query.max-memory=1GB
+query.max-memory-per-node=512MB
+
+http-server.http.enabled=false
+http-server.https.enabled=true
+http-server.https.port=7778
+http-server.https.keystore.path=/docker/volumes/conf/presto/etc/docker.cluster.jks
+http-server.https.keystore.key=123456
+
+http-server.authentication.type=PASSWORD
+
+internal-communication.https.required=true
+internal-communication.https.keystore.path=/docker/volumes/conf/presto/etc/docker.cluster.jks
+internal-communication.https.keystore.key=123456
+internal-communication.ldap.username=admin
+internal-communication.ldap.password=admin
@@ -0,0 +1,24 @@
+databases:
+  hive:
+    host: hadoop-master
+  presto:
+    host: presto-master.docker.cluster
+    port: 7778
+    http_port: 8080
+    https_port: ${databases.presto.port}
+    server_address: https://${databases.presto.host}:${databases.presto.port}
+    jdbc_url: "jdbc:presto://${databases.presto.host}:${databases.presto.port}/hive/${databases.hive.schema}?\
+      SSL=true&\
+      SSLTrustStorePath=${databases.presto.https_keystore_path}&\
+      SSLTrustStorePassword=${databases.presto.https_keystore_password}"
+    configured_hdfs_user: hive
+    https_keystore_path: /docker/volumes/conf/presto/etc/docker.cluster.jks
+    https_keystore_password: '123456'
+    jdbc_user: admin
+    jdbc_password: admin
+    cli_ldap_authentication: true
+    cli_ldap_truststore_path: ${databases.presto.https_keystore_path}
+    cli_ldap_truststore_password: ${databases.presto.https_keystore_password}
+    cli_ldap_user_name: admin
+    cli_ldap_user_password: admin
+    cli_ldap_server_address: https://${databases.presto.host}:${databases.presto.port}