prestodb · arhimondr · Jan 9, 2017 · Apr 14, 2017 · Jan 28, 2017 · Aug 28, 2017
@@ -100,7 +100,7 @@ script:
   - |
     if [[ -v PRODUCT_TESTS_SPECIFIC_ENVIRONMENT ]]; then
       presto-product-tests/bin/run_on_docker.sh \
-        multinode-tls -g smoke,cli,group-by,join,tls
+        multinode-tls-kerberos -g smoke,cli,group-by,join,tls -x stats_client
     fi
   - |
     if [[ -v HIVE_TESTS ]]; then

@@ -114,6 +114,20 @@ To enable SSL/TLS for Presto internal communication, do the following:
         internal-communication.https.keystore.key=<keystore password>
 
 
+Internal SSL/TLS communication with Kerberos
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If the :doc:`Kerberos</security/server>` authentication is enabled, specify valid Kerberos
+credentials for the internal communication, in addition to the SSL/TLS properties.
+
+    .. code-block:: none
+
+        internal-communication.authentication.kerberos.enabled=true
+        internal-communication.authentication.krb5.principal=<principal to use for authentication>
+        internal-communication.authentication.krb5.service-name=<kerberos service name>
+        internal-communication.authentication.krb5.config=<kerberos configuration file>
+        internal-communication.authentication.krb5.keytab=<location of the keytab file that can be used to authenticate the principal>
+
 Performance with SSL/TLS enabled
 --------------------------------
 

@@ -15,12 +15,22 @@
 
 import io.airlift.configuration.Config;
 
+import java.io.File;
+
 public class InternalCommunicationConfig
 {
     private boolean httpsRequired;
     private String keyStorePath;
     private String keyStorePassword;
 
+    private String kerberosPrincipal;
+    private String kerberosServiceName;
+    private boolean kerberosEnabled;
+    private File kerberosKeytab;
+    private File kerberosConfig;
+    private boolean kerberosUseCanonicalHostname = true;
+    private File kerberosCredentialCache;
+
     public boolean isHttpsRequired()
     {
         return httpsRequired;
@@ -56,4 +66,88 @@ public InternalCommunicationConfig setKeyStorePassword(String keyStorePassword)
         this.keyStorePassword = keyStorePassword;
         return this;
     }
+
+    public boolean isKerberosEnabled()
+    {
+        return kerberosEnabled;
+    }
+
+    @Config("internal-communication.authentication.kerberos.enabled")
+    public InternalCommunicationConfig setKerberosEnabled(boolean kerberosEnabled)
+    {
+        this.kerberosEnabled = kerberosEnabled;
+        return this;
+    }
+
+    public String getKerberosPrincipal()
+    {
+        return kerberosPrincipal;
+    }
+
+    @Config("internal-communication.authentication.krb5.principal")
+    public InternalCommunicationConfig setKerberosPrincipal(String kerberosPrincipal)
+    {
+        this.kerberosPrincipal = kerberosPrincipal;
+        return this;
+    }
+
+    public String getKerberosServiceName()
+    {
+        return kerberosServiceName;
+    }
+
+    @Config("internal-communication.authentication.krb5.service-name")
+    public InternalCommunicationConfig setKerberosServiceName(String kerberosServiceName)
+    {
+        this.kerberosServiceName = kerberosServiceName;
+        return this;
+    }
+
+    public File getKerberosKeytab()
+    {
+        return kerberosKeytab;
+    }
+
+    @Config("internal-communication.authentication.krb5.keytab")
+    public InternalCommunicationConfig setKerberosKeytab(File kerberosKeytab)
+    {
+        this.kerberosKeytab = kerberosKeytab;
+        return this;
+    }
+
+    public File getKerberosConfig()
+    {
+        return kerberosConfig;
+    }
+
+    @Config("internal-communication.authentication.krb5.config")
+    public InternalCommunicationConfig setKerberosConfig(File kerberosConfig)
+    {
+        this.kerberosConfig = kerberosConfig;
+        return this;
+    }
+
+    public boolean isKerberosUseCanonicalHostname()
+    {
+        return kerberosUseCanonicalHostname;
+    }
+
+    @Config("internal-communication.authentication.krb5.use-canonical-hostname")
+    public InternalCommunicationConfig setKerberosUseCanonicalHostname(boolean kerberosUseCanonicalHostname)
+    {
+        this.kerberosUseCanonicalHostname = kerberosUseCanonicalHostname;
+        return this;
+    }
+
+    public File getKerberosCredentialCache()
+    {
+        return kerberosCredentialCache;
+    }
+
+    @Config("internal-communication.authentication.krb5.credential-cache")
+    public InternalCommunicationConfig setKerberosCredentialCache(File kerberosCredentialCache)
+    {
+        this.kerberosCredentialCache = kerberosCredentialCache;
+        return this;
+    }
 }
@@ -125,6 +125,7 @@
 import com.facebook.presto.type.TypeDeserializer;
 import com.facebook.presto.type.TypeRegistry;
 import com.facebook.presto.util.FinalizerService;
+import com.facebook.presto.util.KerberosPrincipal;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import com.google.inject.Binder;
@@ -136,6 +137,7 @@
 import io.airlift.configuration.AbstractConfigurationAwareModule;
 import io.airlift.discovery.client.ServiceDescriptor;
 import io.airlift.http.client.HttpClientConfig;
+import io.airlift.http.client.spnego.KerberosConfig;
 import io.airlift.slice.Slice;
 import io.airlift.stats.PauseMeter;
 import io.airlift.units.DataSize;
@@ -145,6 +147,7 @@
 import javax.inject.Inject;
 import javax.inject.Singleton;
 
+import java.io.File;
 import java.util.List;
 import java.util.Optional;
 import java.util.Set;
@@ -153,6 +156,7 @@
 
 import static com.facebook.presto.execution.scheduler.NodeSchedulerConfig.NetworkTopologyType.FLAT;
 import static com.facebook.presto.execution.scheduler.NodeSchedulerConfig.NetworkTopologyType.LEGACY;
+import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkState;
 import static com.google.common.base.Strings.nullToEmpty;
 import static com.google.common.reflect.Reflection.newProxy;
@@ -209,6 +213,28 @@ protected void setup(Binder binder)
             config.setKeyStorePassword(internalCommunicationConfig.getKeyStorePassword());
         });
 
+        if (internalCommunicationConfig.isKerberosEnabled()) {
+            File kerberosConfig = internalCommunicationConfig.getKerberosConfig();
+            File kerberosKeytab = internalCommunicationConfig.getKerberosKeytab();
+            KerberosPrincipal principal = KerberosPrincipal.valueOf(internalCommunicationConfig.getKerberosPrincipal());
+            String kerberosServiceName = internalCommunicationConfig.getKerberosServiceName();
+            checkArgument(kerberosConfig != null, "kerberos config must be set");
+            checkArgument(kerberosKeytab != null, "kerberos keytab must be set");
+            checkArgument(kerberosServiceName != null, "kerberos service name must be set");
+
+            configBinder(binder).bindConfigGlobalDefaults(KerberosConfig.class, config -> {
+                config.setConfig(kerberosConfig);
+                config.setKeytab(kerberosKeytab);
+                config.setUseCanonicalHostname(internalCommunicationConfig.isKerberosUseCanonicalHostname());
+                config.setCredentialCache(internalCommunicationConfig.getKerberosCredentialCache());
+            });
+            configBinder(binder).bindConfigGlobalDefaults(HttpClientConfig.class, config -> {
+                config.setAuthenticationEnabled(true);
+                config.setKerberosPrincipal(principal.substituteHostnamePlaceholder().toString());
+                config.setKerberosRemoteServiceName(kerberosServiceName);
+            });
+        }
+
         configBinder(binder).bindConfig(FeaturesConfig.class);
 
         binder.bind(SqlParser.class).in(Scopes.SINGLETON);