Password file authentication#
Trino can be configured to enable frontend password authentication over HTTPS for clients, such as the CLI, or the JDBC and ODBC drivers. The username and password are validated against usernames and passwords stored in a file.
Password file authentication is very similar to LDAP authentication. Please see the LDAP documentation for generic instructions on configuring the server and clients to use TLS and authenticate with a username and password.
Password authenticator configuration#
To enable password file authentication, set the password authentication type in
In addition, create a
etc/password-authenticator.properties file on the
coordinator with the
file authenticator name:
The following configuration properties are available:
Path of the password file.
How often to reload the password file. Defaults to
Max number of cached authenticated passwords. Defaults to
The password file contains a list of usernames and passwords, one per line, separated by a colon. Passwords must be securely hashed using bcrypt or PBKDF2.
bcrypt passwords start with
$2y$ and must use a minimum cost of
PBKDF2 passwords are composed of the iteration count, followed by the hex encoded salt and hash:
Creating a password file#
Create an empty password file to get started:
Add or update the password for the user
htpasswd -B -C 10 password.db test
Connect to the Web UI from your browser using a URL that uses HTTPS, such as
https://trino.example.com:8443. Enter a username in the
Usernametext box and the corresponding password in the
Passwordtext box, and log in to the UI. Confirm that you are not able to log in using an incorrect username and password combination. A successful login displays the username in the top right corner of the UI.
Connect with the Trino CLI using a URL that uses HTTPS, such as
https://trino.example.net:8443with the addition of the
./trino --server https://trino.example.com:8443 --user test --password
The above command quotes you for a password. Supply the password set for the
user entered for the
--user property to use the
trino> prompt. Sucessful
authentication allows you to run queries from the CLI.
To test the connection, send a query:
trino> SELECT 'rocks' AS trino; trino ------- rocks (1 row) Query 20220919_113804_00017_54qfi, FINISHED, 1 node Splits: 1 total, 1 done (100.00%) 0.12 [0 rows, 0B] [0 rows/s, 0B/s]