presto-python-client icon indicating copy to clipboard operation
presto-python-client copied to clipboard

Published 20 hours ago verified publisher icon prestodb

kerberos auth documentation

Open parisni opened this issue 8 years ago • 13 comments

hi there

Any example in the documentation on how to connect to a kerberized presto coordinator from your lib ?

thanks by advance

parisni avatar Nov 05 '17 16:11 parisni

Try something like this

import requests_kerberos

KRB5_CONFIG = "/etc/krb5-thrift.conf"
CA_BUNDLE = "/etc/pki/tls/certs/fb_certs.pem"

_auth = KerberosAuthentication(
    config=KRB5_CONFIG,
    service_name=COORDINATOR_KRB5_SERVICE_NAME,
    mutual_authentication=requests_kerberos.DISABLED,
    ca_bundle=CA_BUNDLE,
)

Then make a new connection with _auth

highker avatar Dec 20 '17 06:12 highker

@highker

Thank you for your comment. I tried it. But I saw an error in below.

NameError: name 'KerberosAuthentication' is not defined

requests-kerberos doesn't seems to have KerberosAuthentication.

You mean use this?

Best regards,

tommarute avatar Dec 21 '17 11:12 tommarute

I'm sorry. I can import in this way.

from prestodb.auth import KerberosAuthentication

tommarute avatar Dec 21 '17 11:12 tommarute

@tommarute. can you show an complete example of how to use '_auth' above, Thanks.

92chabuduo avatar Feb 05 '18 02:02 92chabuduo

@92chabuduo

Hi

I'm sorry to say that I haven't been able to run kerberos auth by using this client.

~~My sample code is here.~~ ~~It doesn't work.~~

~~So I changed presto client from prestodb to pyhive.~~

~~FWIW, This is pyhive sample code.~~ ~~It works.~~

Thanks.

tommarute avatar Feb 06 '18 15:02 tommarute

@tommarute are you sure your pyhive code is using kerberos ? I cannot find any mention of kerberos token in it

parisni avatar Feb 06 '18 17:02 parisni

@parisni You're completely right. It seems that our presto doesn't require Kerberos authentication. I'm sorry for the confusion.

tommarute avatar Feb 07 '18 00:02 tommarute

Does anyone have authentication against kerberized presto-coordinator working? Could you provide any example? This is my example code:

import prestodb from prestodb.auth import KerberosAuthentication

KRB5_CONFIG = "/etc/krb5.conf" CA_BUNDLE = "/etc/ca-chain.crt"

_auth = KerberosAuthentication( config=KRB5_CONFIG, service_name='HTTP', mutual_authentication=False, ca_bundle=CA_BUNDLE )

conn=prestodb.dbapi.connect( host='presto-coordinator.test.gl', port=7778, catalog='tpch', schema='information_schema', http_scheme='https', auth=_auth, )

cur = conn.cursor() cur.execute('SHOW tables') rows = cur.fetchall()

It doesn't work although I have a valid kerberos ticket for the user who is sending the request. I obtain a 401 (Unauthorized).

jacibreiro avatar Jan 09 '19 10:01 jacibreiro

If somebody is interested, above code works. The problem was that the user running the code didn't have permission over the keytab. It is already solved.

jacibreiro avatar Jan 10 '19 15:01 jacibreiro

@jacibreiro Great thanks for your code example; My python version is 2.7.16 and I cannot connect to my kerberized presto server , although my java-based client could connect to it successfully. My Code sample is :

  _auth = KerberosAuthentication(
       config=KRB5_CONFIG,
       service_name='presto',
       principal='[email protected]',
       mutual_authentication=False,
       ca_bundle=CA_BUNDLE,
   )
   conn=prestodb.dbapi.connect(
       host='presto.server.hulu.com',
       port=7778,
       catalog='hive',
       schema='information_schema',
       http_scheme='https',
       auth=_auth,
       max_attempts=1,
   )
   cur = conn.cursor()
   cur.execute('SHOW tables')
   rows = cur.fetchall()

The error is:

Traceback (most recent call last):
  File "/Users/chang.wu/work/workspace/hulu-github-src/hadoop-security/code-layer-verification/src/main/java/com/hulu/security/presto/PrestoPythonClient.py", line 39, in <module>
    cur.execute('SHOW tables')
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/prestodb/dbapi.py", line 228, in execute
    result = self._query.execute()
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/prestodb/client.py", line 520, in execute
    response = self._request.post(self._sql)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/prestodb/client.py", line 347, in post
    proxies=PROXIES,
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/requests/sessions.py", line 581, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='presto.server.hulu.com', port=7778): Max retries exceeded with url: /v1/statement (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)'),))

Process finished with exit code 1

Anyone could provide me some clues? I am quite sure that kerberized presto server is fine.

VicoWu avatar Apr 19 '19 13:04 VicoWu

@VicoWu the HTTPS request fails to verify the SSL certificate. That seems unrelated to kerberos because it happens in the requests HTTP client library and not in Presto. Are you sure you CA_BUNDLE and Presto server certificate are valid?

ggreg avatar May 06 '19 19:05 ggreg

In the environment I am using, the suggested server to use was a load balancer which did not work with this client. The following code sample worked when the server was a coordinator, and I downloaded the cert directly from this server with command in the code comment. The presto web ui was available at this same url at https://SERVER:PORT/ui

this code sample worked for me on both MAC OSX, and linux.

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import prestodb
import os

"""
turn on kinit debugging info with: export KRB5_TRACE=/dev/stderr

get cert file from server with:
echo -n | openssl s_client -showcerts -connect SERVER:PORT  > file.pem
"""

server = {
    'host': 'presto-coordinator.or.ui.server',
    'port': 8443,
    'ca_bundle':  './your-pem-file.pem',
    }

conn = prestodb.dbapi.connect(
    http_scheme='https',
    host=server['host'],
    port=server['port'],
    user=os.environ['USER'],
    catalog='system',
    auth=prestodb.auth.KerberosAuthentication(
        config='/etc/krb5.conf',
        service_name='presto',
        principal='{}@YOUR.DEFAULT.REALM'.format(os.environ['USER']),
        ca_bundle=server['ca_bundle']
        )
)
cursor = conn.cursor()
cursor.execute('SELECT * FROM system.runtime.nodes')
for row in cursor.fetchall():
    print(row)

antonioshadji avatar Jul 28 '19 18:07 antonioshadji

If somebody is interested, above code works. The problem was that the user running the code didn't have permission over the keytab. It is already solved.

i am getting a 401 unauthorized issues. Could you please let me know what do you mean by didnt have permission over keytab? what permission we need for the user?

ngupta1986 avatar Oct 06 '20 05:10 ngupta1986