Starburst Secrets – Hiding Sensitive Presto Credentials
As Presto continues to rapidly become the SQL engine of choice powering the modern big data consumption layer, security is at the top of our list. Many organizations do not allow any type of sensitive information on servers in plain text. Examples include passwords, usernames, and other sensitive information.
Presto’s configuration files may include sensitive information, such as passwords and usernames to your data sources. In many enterprise organizations, this violates security policies, so we created a method to encrypt this information using Starburst Secrets. Secrets allow administrators to separate configuration files from this sensitive data by storing them in a Java keystore file. This allows the configuration files to only contain encrypted values of these sensitive config entries.
The process is very straightforward and the steps include:
- Generate a keystore file with an alias for your encrypted value.
- Create a configuration file to inform Presto where to find the keystore file.
- Modify your config file(s) replacing the sensitive value with your alias.
Ok, let’s get started.
First, we generate our keystore file and give it an alias. In this example, I used “oracle_connection_password” for my alias:
keytool -genseckey -alias oracle_connection_password -keyalg PBE -keystore presto-keystore.pfx -storetype PKCS12
Second, create a file named configuration-source.properties in /etc/presto that indicates to Starburst Presto that we’ll be using a keystore file to store our sensitive information:
keystore.password=(the password you used when creating the keystore file above)
Third, modify my oracle.properties file that contains my Oracle password:
[root@ip-172-31-8-140 catalog]# cat oracle.properties
And that’s it! The secrets can be used in any of the Starburst Presto configuration files. We tried to make it as simple as possible to extract out sensitive information from configuration files.
Full documentation can be found here: https://docs.starburstdata.com/latest/security/secrets.html
If you have any questions, please feel free to reach out to us at firstname.lastname@example.org