trino 安装(带web ui 与 coordinator 和 worker 与 coordinator 安全通讯)

security

authentication

self signed certificate

# Write down the Common Name (CN) for your SSL Certificate. The CN is the fully qualified name for the system that uses the certificate. For static DNS, use the hostname or IP address set in your Gateway Cluster (for example. 192.16.183.131 or dp1.acme.com).
# Run the following OpenSSL command to generate your private key and public certificate. Answer the questions and enter the Common Name when prompted.
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem# Review the created certificate:
openssl x509 -text -noout -in certificate.pem# Combine your key and certificate in a PKCS#12 (P12) bundle:
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12

authorization(todo)

config

coordinator

coordinator=true
node-scheduler.include-coordinator=truehttp-server.http.port=38080
query.max-memory=50GB
query.max-memory-per-node=1GB
query.max-total-memory-per-node=2GBhttp-server.https.enabled=true
http-server.https.port=8443http-server.https.keystore.path=/home/trino/keys/certificate.p12
http-server.https.keystore.key=trino123discovery.uri=https://bigdatatestenv02:8443# open http web ui to login
# http-server.authentication.allow-insecure-over-http=truehttp-server.authentication.type=PASSWORD,CERTIFICATEweb-ui.shared-secret=randomly 
web-ui.authentication.type=forminternal-communication.shared-secret=u51elfxYF8yEQA3Vu9visEHsDpg5nDMRTCBVjdD+jp/5HLKIT7rMxU7Np6ueT7U97UgosEpJz8Yq# http-server.https.secure-random-algorithm=SHA1PRNG
internal-communication.https.required=true

worker

coordinator=falsequery.max-memory=50GB
query.max-memory-per-node=1GB
query.max-total-memory-per-node=2GBinternal-communication.https.required=truehttp-server.https.enabled=true
http-server.https.port=8443discovery.uri=https://10.201.129.5:8443internal-communication.shared-secret=u51elfxYF8yEQA3Vu9visEHsDpg5nDMRTCBVjdD+jp/5HLKIT7rMxU7Np6ueT7U97UgosEpJz8Yqhttp-server.https.secure-random-algorithm=SHA1PRNG

安全内部通讯

trino可以配置安全通讯使用集群中节点内部授权,和可选增加安全TLS.

内部通信

不同节点之间认证使用共享secret. 对于内部安全通讯,共享secret一定设置相同的值在所有节点.

internal-communication.shared-secret=<secret>

推荐生成一个大的随机数,可以使用下边linux命令生成

openssl rand 512 | base64

内部配置TLS

可以配置coordinator 和所有 worker 加密通讯使用TLS. 每个在集群中节点 一定都要配置.注意节点没配置或配置错误,是不能彼此通信的.

为内部通信开启TLS 节点使用下边相同配置.

1. 节点间配置共享secret
2. 开启自动 证书创建和信任配置在etc/config.properties 中设置.

internal-communication.https.required=true

3. 改变URL为发现服务使用HTTPS和指定coordinator IP地址在etc/config.properties

discovery.uri=https://<coordinator ip address>:<https port>

注意使用hostname或完整的域名是不支持的.自动证书创建在内部TLS公支持IP地址. JAVA17公司不兼容使用这个特性,并且不能使用运行时为Trino开启这个特性.

4. 所有work开启HTTPS

http-server.https.enabled=true
http-server.https.port=<https port>

5. 重启所有节点

notice

配置

http-server.https.secure-random-algorithm

在某些情况下,改变随机数源可以显著提高性能.

默认TLS加密使用/dev/urandom系统设备作为源熵.这个设备限制了吞吐量,所以在高吞吐的环境,它可能成为瓶颈.在这种情况下推荐切换随机生成算法SHA1PRNG,配置通过http-server.https.secure-random-algorithm 属性在config.properties中,并配置到所有节点.

http-server.https.secure-random-algorithm=SHA1PRNG

注意这个算法用初始种子从阻塞的/dev/random设备.对于这样环境没有足够多的熵种子对SHAPRNG算法,源可以改为/dev/urandom,增加java.security.egd属性到jvm.config中:

-Djava.security.egd=file:/dev/urandom

客户端连接

 ./sven/trino  --server https://bigdatatestenv02:8443 --truststore-path keys/certificate.pem --user=test --password

这时bigdatatestenv02是与生成pem的common name有关,不能使用IP

Q&A

worker配置一定要加上coordinator=false,不然会把worker当成coordinator,这样会来回切换

...
2021-12-16T17:53:03.822+0800    WARN    http-worker-220 io.trino.execution.SqlTaskManager       Switching coordinator affinity from 7f9pm to 86jht
2021-12-16T17:53:04.901+0800    WARN    http-worker-202 io.trino.execution.SqlTaskManager       Switching coordinator affinity from 86jht to 7f9pm
2021-12-16T17:53:05.824+0800    WARN    http-worker-210 io.trino.execution.SqlTaskManager       Switching coordinator affinity from 7f9pm to 86jht
2021-12-16T17:53:06.905+0800    WARN    http-worker-221 io.trino.execution.SqlTaskManager       Switching coordinator affinity from 86jht to 7f9pm
...