- security
- authentication
- self signed certificate
- authorization(todo)
- config
- coordinator
- worker
- 安全内部通讯
- 内部通信
- 内部配置TLS
- notice
- 配置
- http-server.https.secure-random-algorithm
- 客户端连接
- Q&A
# Write down the Common Name (CN) for your SSL Certificate. The CN is the fully qualified name for the system that uses the certificate. For static DNS, use the hostname or IP address set in your Gateway Cluster (for example. 192.16.183.131 or dp1.acme.com). # Run the following OpenSSL command to generate your private key and public certificate. Answer the questions and enter the Common Name when prompted. openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem # Review the created certificate: openssl x509 -text -noout -in certificate.pem # Combine your key and certificate in a PKCS#12 (P12) bundle: openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12authorization(todo) config coordinator
coordinator=true node-scheduler.include-coordinator=true http-server.http.port=38080 query.max-memory=50GB query.max-memory-per-node=1GB query.max-total-memory-per-node=2GB http-server.https.enabled=true http-server.https.port=8443 http-server.https.keystore.path=/home/trino/keys/certificate.p12 http-server.https.keystore.key=trino123 discovery.uri=https://bigdatatestenv02:8443 # open http web ui to login # http-server.authentication.allow-insecure-over-http=true http-server.authentication.type=PASSWORD,CERTIFICATE web-ui.shared-secret=randomly web-ui.authentication.type=form internal-communication.shared-secret=u51elfxYF8yEQA3Vu9visEHsDpg5nDMRTCBVjdD+jp/5HLKIT7rMxU7Np6ueT7U97UgosEpJz8Yq # http-server.https.secure-random-algorithm=SHA1PRNG internal-communication.https.required=trueworker
coordinator=false query.max-memory=50GB query.max-memory-per-node=1GB query.max-total-memory-per-node=2GB internal-communication.https.required=true http-server.https.enabled=true http-server.https.port=8443 discovery.uri=https://10.201.129.5:8443 internal-communication.shared-secret=u51elfxYF8yEQA3Vu9visEHsDpg5nDMRTCBVjdD+jp/5HLKIT7rMxU7Np6ueT7U97UgosEpJz8Yq http-server.https.secure-random-algorithm=SHA1PRNG安全内部通讯
trino可以配置安全通讯使用集群中节点内部授权,和可选增加安全TLS.
内部通信不同节点之间认证使用共享secret. 对于内部安全通讯,共享secret一定设置相同的值在所有节点.
internal-communication.shared-secret=
推荐生成一个大的随机数,可以使用下边linux命令生成
openssl rand 512 | base64内部配置TLS
可以配置coordinator 和所有 worker 加密通讯使用TLS. 每个在集群中节点 一定都要配置.注意节点没配置或配置错误,是不能彼此通信的.
为内部通信开启TLS 节点使用下边相同配置.
- 节点间配置共享secret
- 开启自动 证书创建和信任配置在etc/config.properties 中设置.
internal-communication.https.required=true
- 改变URL为发现服务使用HTTPS和指定coordinator IP地址在etc/config.properties
discovery.uri=https://:
注意使用hostname或完整的域名是不支持的.自动证书创建在内部TLS公支持IP地址. JAVA17公司不兼容使用这个特性,并且不能使用运行时为Trino开启这个特性.
- 所有work开启HTTPS
http-server.https.enabled=true http-server.https.port=
- 重启所有节点
在某些情况下,改变随机数源可以显著提高性能.
默认TLS加密使用/dev/urandom系统设备作为源熵.这个设备限制了吞吐量,所以在高吞吐的环境,它可能成为瓶颈.在这种情况下推荐切换随机生成算法SHA1PRNG,配置通过http-server.https.secure-random-algorithm 属性在config.properties中,并配置到所有节点.
http-server.https.secure-random-algorithm=SHA1PRNG
注意这个算法用初始种子从阻塞的/dev/random设备.对于这样环境没有足够多的熵种子对SHAPRNG算法,源可以改为/dev/urandom,增加java.security.egd属性到jvm.config中:
-Djava.security.egd=file:/dev/urandom客户端连接
./sven/trino --server https://bigdatatestenv02:8443 --truststore-path keys/certificate.pem --user=test --password
这时bigdatatestenv02是与生成pem的common name有关,不能使用IP
Q&Aworker配置一定要加上coordinator=false,不然会把worker当成coordinator,这样会来回切换
... 2021-12-16T17:53:03.822+0800 WARN http-worker-220 io.trino.execution.SqlTaskManager Switching coordinator affinity from 7f9pm to 86jht 2021-12-16T17:53:04.901+0800 WARN http-worker-202 io.trino.execution.SqlTaskManager Switching coordinator affinity from 86jht to 7f9pm 2021-12-16T17:53:05.824+0800 WARN http-worker-210 io.trino.execution.SqlTaskManager Switching coordinator affinity from 7f9pm to 86jht 2021-12-16T17:53:06.905+0800 WARN http-worker-221 io.trino.execution.SqlTaskManager Switching coordinator affinity from 86jht to 7f9pm ...
