LDAP support in Trino Gateway is only used to authenticate users who will be logging into Trino Gateway to view information such as which cluster a query was routed to, rules, etc., and is not needed when setting up authentication for Trino. Trino Gateway will pass through credentials to the Trino cluster it connects to.
To set up LDAP specifically for connecting to Trino Gateway’s UI, you can configure your settings under ‘Advanced trino-gateway-ldap'.
Configuring LDAP
Configure LDAP settings under:
xxxxxxxxxxAdvanced trino-gateway-ldapThe generated configuration file is:
xxxxxxxxxxTrino Gateway LDAP Configuration
Trino Gateway LDAP configuration options
The configuration file that will be created by the mpack is ‘Trino Gateway LDAP Configuration’, so if there are any configurations not addressed in ‘Advanced trino-gateway-ldap’, you can set them in the Jinja2 template.
LDAP Role Assignment
Role assignment is based on regex matching against LDAP groups.
Matching uses the value configured in:
xxxxxxxxxxLDAP Group Member Attribute
For more information on security in Trino Gateway, see trino-gateway/docs/security.md at 15 · trinodb/trino-gateway.
Non-LDAP Authentication
When LDAP is disabled, Trino Gateway creates a default admin user.
Change the default password immediately.
Required Authentication Patterns
Configure the following values:
| Setting | Value |
|---|---|
| Admin Authentication Pattern | (.)ADMIN(.) |
| API Authentication Pattern | (.)API(.) |
| User Authentication Pattern | (.)USER(.) |
Adding Additional Users
Add users in:
xxxxxxxxxxTrino Gateway ConfigurationExample
xxxxxxxxxxpresetUsers: some_user: password: 12345 privileges: USER
Multiple Privileges
Privileges can be combined using underscores.
Example:
xxxxxxxxxxpresetUsers: some_user: password: 12345 privileges: USER_APISupported privilege values:
- USER
- ADMIN
- API
Externalizing Passwords
The passwords must either be supplied directly in the configuration file, or can be specified in /etc/trino-gateway/gateway.env
xxxxxxxxxx/etc/trino-gateway/gateway.envTo use the file method, first create the /etc/trino-gateway/gateway.env file and add your passwords there.
Example
xxxxxxxxxxSOMEUSER_PASS="12345"ANOTHER_PASSWORD="abcdefg"Restrict file permissions:
Ensure the file is only readable by root:
xxxxxxxxxxchmod 600 /etc/trino-gateway/gateway.envVerify permissions:
xxxxxxxxxxls -l /etc/trino-gateway/gateway.env-rw------- 1 root root 15 May 19 19:54 /etc/trino-gateway/gateway.envRestart Trino Gateway after modifying the environment file.
Referencing Environment Variables
When referencing the passwords in ‘Trino Gateway Configuration’ (which will be saved as ‘config.yaml’), you can replace them with the name of the variable you defined in /etc/trino-gateway/gateway.env.
xxxxxxxxxxpresetUsers: some_user: password: ${ENV:SOMEUSER_PASS} privileges: USER_APIFor more information on security in Trino Gateway, see trino-gateway/docs/security.md at 15 · trinodb/trino-gateway.