Oracle Cloud Infrastructure Documentation

Adding Trino Impersonation to a Cluster

You can configure an Hadoop cluster to allow the user or principal that Trino is running as to impersonate the users who log in to Trino.

When using Kerberos metastore authentication with impersonation, the principal specified by the hive.metastore.client.principal property must be enables to impersonate the current Trino user. Impersonation in Hadoop is configured in the file core-site.xml.

  1. To use impersonation, the Hadoop cluster must be configured to allow the user or principal that Trino is running as to impersonate the users who log in to Trino. Impersonation in Hadoop is configured in the file core-site.xml: 
    hadoop.proxyuser.trino.groups = *
hadoop.proxyuser.trino.hosts = *
  2. Add Trino impersonation properties to the connectors.to.add property:
    1. Access Apache Ambari.
    2. From the side toolbar, under Services click Trino.
    3. Click Configs.
    4. In the Connectors section, add the following to the connectors.to.add: 
      {'hive':['connector.name=hive','hive.metastore.thrift.impersonation.enabled=true', 
'hive.hdfs.impersonation.enabled=true', 
'hive.metastore.uri=thrift://server-mn1.oraclevcn.com:9083',
'hive.metastore.authentication.type=KERBEROS',
'hive.metastore.service.principal=hive/_HOST@BDSCLOUDSERVICE.ORACLE.COM',
'hive.metastore.client.principal=trino/_HOST@BDSCLOUDSERVICE.ORACLE.COM',
'hive.metastore.client.keytab=/etc/security/keytabs/trino.service.keytab',
'hive.hdfs.authentication.type=KERBEROS',
'hive.hdfs.trino.principal=trino/_HOST@BDSCLOUDSERVICE.ORACLE.COM',
'hive.hdfs.trino.keytab=/etc/security/keytabs/trino.service.keytab',
'hive.config.resources=/etc/hadoop/conf/core-site.xml,/etc/hadoop/conf/hdfs-site.xml',]}

      The Hive connector file is populated with the above configs in /etc/trino/conf/catalog/hive.properties.

      Note

      A system access control enforces authorization at a global level, before any connector level authorization. With this default access control, all operations are permitted, except for user impersonation and triggering Graceful shutdown. For more information, see System Access Control.
  3. Add allow-all to access-control.properties: 
    # pwd
/etc/trino/conf
 
# cat access-control.properties
access-control.name=allow-all
    Note

    For Big Data Service earlier than 3.023, you must create /etc/trino/conf/access-control.properties.
  4. Verify Trino server start-up logs. For example: 
    2024-02-08T12:58:40.908Z        INFO    main    io.trino.security.AccessControlManager  -- Loading system access control etc/access-control.properties --
2024-02-08T12:58:40.909Z        INFO    main    io.trino.security.AccessControlManager  -- Loaded system access control allow-all --
[...]
2024-02-08T12:58:41.201Z        INFO    main    io.trino.server.Server  ======== SERVER STARTED ========
  5. Confirm Impersonation works correctly. For example: 
    [root@server-un1 conf]# /usr/lib/trino/bin/trino-cli --server https://server-un1.oraclevcn.com:7778 --krb5-principal trino/server-un1.oraclevcn.com@BDSCLOUDSERVICE.ORACLE.COM --krb5-keytab-path /etc/security/keytabs/trino.service.keytab --krb5-remote-service-name trino --truststore-path=/etc/security/serverKeys/truststore.jks --user <username> --session-user <username> --debug
trino> show catalogs;
 Catalog
---------
 hive
 system
 tpch
(3 rows)
Query 20240208_125940_00002_vdzw6, FINISHED, 1 node
https://server-un1.oraclevcn.com:7778/ui/query.html?20240208_125940_00002_vdzw6
Splits: 19 total, 19 done (100.00%)
CPU Time: 0.0s total,     0 rows/s,     0B/s, 33% active
Per Node: 0.1 parallelism,     0 rows/s,     0B/s
Parallelism: 0.1
Peak Memory: 0B
0.37 [0 rows, 0B] [0 rows/s, 0B/s]