Support Kerberos authentication between nodes

[anusudarsan]

Supersedes #8859.

[kokosing]

it is not invalid method argument but invalid configuration. Should you throw configuration related exception here?

[anusudarsan]

hmm..looks like we valid configs in other places the same way.

[electrum]

Another way to do this is to put the Kerberos configs in a separate class. This allows the properties to be @NotNull and thus they will be validated by the config system (which has good error messages). The class is only bound/requested if the isKerberosEnabled flag is set.

This is similar to how it works in the Hive connector where HdfsKerberosConfig has required properties but the config class is only bound when Kerberos is enabled.

[kokosing]

is this needed? I see that here com/facebook/presto/server/security/KerberosAuthenticator.java:68 it is dynamically evaluated from serviceName

[anusudarsan]

ya, but this is for setting io.airlift.http.client.HttpClientConfig which is by the http client between nodes. See https://github.com/airlift/airlift/blob/master/http-client/src/main/java/io/airlift/http/client/spnego/SpnegoAuthentication.java#L84

[electrum]

Wouldn't this need to match http.server.authentication.krb5.service-name from KerberosConfig? Or will this be different after the next commit because it contains a _HOST placeholder?

[kokosing]

In com.facebook.presto.server.security.KerberosConfig#getKeytab it is nullable, does it have to be non null here?

[anusudarsan]

right. that assumption is good here as well. removed

[kokosing]

how does it relate to KerberosConfig configured in com/facebook/presto/server/security/ServerSecurityModule.java:50

What will happen if internal kerberos communication does not match server kerboros communication? WIll one overwrite the other?

[anusudarsan]

This one is different and is setting io.airlift.http.client.spnego.KerberosConfig which is used by the http client between nodes. Also see io.airlift.http.client.spnego.SpnegoAuthentication similar to KerberosAuthenticator.

[electrum]

They are setting different things, but they have to match, right?

[kokosing]

Maybe you could have internal static class Parser and store parsing related code there. What do you think? Having this class defined at the bottom would not polute this file and would make the most important things to be at the top of the class.

[anusudarsan]

ya looks cleaner. done.

[kokosing]

why no impersonation?

[anusudarsan]

I dont think there is any specific reason. just chose one of the simple kerberos configs.

[kokosing]

add description of this environment to README file

[kokosing]

double licence

[kokosing]

why it fails?

[anusudarsan]

This is using the HttpQueryStatsClient and hence fail with encrypted connection. Previously we never ran smoke group with multinode-tls tests, but with this profile we do.

[kokosing]

do you need to define new tempto configuration file, I thought you reuse file which is used other kerberized environment

[anusudarsan]

The only difference from the other kerberos config is that, this one defines http_port (line 22) which is needed by TLS test group (there is an assertion to test the http port is actually closed). I added this property to the other file and deleted this one.

[anusudarsan]

@kokosing addressed comments

[anusudarsan]

The only difference from the other kerberos config is that, this one defines http_port (line 22) which is needed by TLS test group (there is an assertion to test the http port is actually closed). I added this property to the other file and deleted this one.

[anusudarsan]

This is using the HttpQueryStatsClient and hence fail with encrypted connection. Previously we never ran smoke group with multinode-tls tests, but with this profile we do.

[anusudarsan]

I dont think there is any specific reason. just chose one of the simple kerberos configs.

[anusudarsan]

its already tested below at line 101?

[anusudarsan]

right. that assumption is good here as well. removed

[anusudarsan]

This one is different and is setting io.airlift.http.client.spnego.KerberosConfig which is used by the http client between nodes. Also see io.airlift.http.client.spnego.SpnegoAuthentication similar to KerberosAuthenticator.

[anusudarsan]

ya, but this is for setting io.airlift.http.client.HttpClientConfig which is by the http client between nodes. See https://github.com/airlift/airlift/blob/master/http-client/src/main/java/io/airlift/http/client/spnego/SpnegoAuthentication.java#L84

[anusudarsan]

probably. but that is not part of this PR.

[anusudarsan]

ya looks cleaner. done.

[anusudarsan]

this will just be appending the SEPARATORs to the username/hostname/realm, right? the actual escaping happens in parse and the escape characters will be retained in the variables here.

[anusudarsan]

@electrum I have also addressed your comments from here-
#8859 (review) . Please take a look.

[electrum]

Overall this looks good. I have some concerns about the duplicated config parameters that must be the same value (as far as I can tell).

[electrum]

Wouldn't this need to match http.server.authentication.krb5.service-name from KerberosConfig? Or will this be different after the next commit because it contains a _HOST placeholder?

[electrum]

Same with these, shouldn't it be the same as KerberosConfig?

[anusudarsan]

Added a check to verify both matches.

[electrum]

Another way to do this is to put the Kerberos configs in a separate class. This allows the properties to be @NotNull and thus they will be validated by the config system (which has good error messages). The class is only bound/requested if the isKerberosEnabled flag is set.

This is similar to how it works in the Hive connector where HdfsKerberosConfig has required properties but the config class is only bound when Kerberos is enabled.

[electrum]

They are setting different things, but they have to match, right?

[electrum]

This module is already quite long. How about we move the internal communication stuff into a separate InternalCommunicationModule?

[anusudarsan]

done. created a new module

[electrum]

Can the class be private?

[electrum]

Make this public since it's part of the API

[electrum]

Make public and move to the top

[electrum]

No need for break here

[electrum]

Should this document _HOST?

[anusudarsan]

@electrum addressed your comments. please take another look.

[anusudarsan]

Added a check to verify both matches.

[anusudarsan]

done. created a new module

[anusudarsan]

related - #10317

[panditsurabhi]

We are awaiting this change. Is it going to be merged soon? What's the ETA?

[kokosing]

@anusudarsan Could you please rebase?
@arhimondr Could you please review?

[arhimondr]

Please let me have an another look before you merge. Also please fix the commit history (git rebase "$(git merge-base HEAD master)" --ignore-date -x 'git commit --amend -C HEAD --date="$(date -R)" && sleep 1.05') (Thanks @findepi , sorry, didn't find the original paste)

[arhimondr]

Since we are doing these checks, do we actually need 2 type of properties (for the client and for the server). Can we just use these properties from the server config?

[arhimondr]

You can build it based on the service name. kerberosPrincipal=<kerberosServiceName>/_HOST, and it should get the realm from the config. See https://github.com/prestodb/presto/blob/master/presto-main/src/main/java/com/facebook/presto/server/security/KerberosAuthenticator.java#L68

We are using this convention to build the service principal for the server. I thing we can safely follow the approach to build a client principal as well.

[arhimondr]

Use the one from the server config, remove this property

[arhimondr]

Use the one from the server config, remove this property

[arhimondr]

Use the one from the server config, remove this property. (this one is a static one property, JVM wide)

[arhimondr]

internal-communication.kerberos.enabled

[arhimondr]

internal-communication.kerberos.use-canonical-hostname

[arhimondr]

If you build the principal name based on the service name you will no longer need this commit. Feel free to drop it.

[arhimondr]

Personally i would just drop the smoke group here, so you don't have do exclude the stats_client group.

[arhimondr]

The idea with group-by and join here is to make the Presto do the exchanges.

[arhimondr]

Why is it needed? http is disabled

[anusudarsan]

ya. but we run TLS test group (TlsTests) now in this profile. This property is used there to test if http_port is not actually being used.

[anusudarsan]

@arhimondr addressed all comments

[anusudarsan]

ya. but we run TLS test group (TlsTests) now in this profile. This property is used there to test if http_port is not actually being used.

[arhimondr]

s/Coordinator/server

[arhimondr]

LGTM % few comments

[arhimondr]

clientKerberosConfig?

[arhimondr]

UncheckedIOException

[arhimondr]

getServiceName and getKerberosConfig are marked as @NotNull, and being validated during the KerberosConfig configuration creation

[arhimondr]

I wonder if there is better exception than NullPointerException. NPE for the end user looks like a bug in the code. How about io.airlift.configuration.InvalidConfigurationException?

[anusudarsan]

@arhimondr addressed comments

[anusudarsan]

@arhimondr ping :)

[findepi]

@arhimondr i think i will just merge this

[arhimondr]

Let's just add a message here

[arhimondr]

@findepi I can add the message and merge. Lets just figure out the message. How about

"http.server.authentication.krb5.keytab must be set when kerberos authentication for internal communication is enabled"

We can extract http.server.authentication.krb5.keytab into a constant ofcourse.

[anusudarsan]

sure. that sounds good to me

[anusudarsan]

maybe also point to internal-communication.kerberos.enabled in the message?

[arhimondr]

Yup, that would work