Kerberos and LDAP cannot be enabled at the same time since they are set using the same property, http-server.authentication.type.
If you enable LDAP on a Kerberos cluster, Kerberos authentication will be disabled for Trino. However, Kerberos will remain enabled for the Hive connector so that you can access it by making below modifications.
- Create and add user-mappings.json and rules.json under
/etc/trino/conf.
x
# Ensure directory existsls -lart /etc/trino/conf# Create user-mappings.jsoncat <<EOF > /etc/trino/conf/user-mappings.json{ "rules": [ { "pattern": "^([^/]+).*$", "allow": true } ]}EOF# Create rules.jsoncat <<EOF > /etc/trino/conf/rules.json{ "impersonation": [ { "original_user": ".*", "new_user": ".*" } ], "principals": [ { "principal": "(.*)", "principal_to_user": "\$1", "allow": true }, { "principal": "([^/]+)(/.*)?@.*", "principal_to_user": "\$1", "allow": true } ]}EOF- To add a custom krb5-user mapping, append the following line at the end of the file by Navigating to Ambari UI →
Trino→Advanced Configurations→coordinator-config.
http-server.authentication.krb5.user-mapping.file=/etc/trino/conf/user-mappings.json
http-server.authentication.krb5.keytab=/etc/security/keytabs/trino.keytabhttp.authentication.krb5.config=/etc/krb5.confnode.internal-address-source=FQDNhttp-server.authentication.krb5.user-mapping.file=/etc/trino/conf/user-mappings.jsonWas this page helpful?