Starburst Secrets – Hiding Sensitive Presto Credentials

by Tom N.

As Presto continues to rapidly become the SQL engine of choice powering the modern big data consumption layer, security is at the top of our list. Many organizations do not allow any type of sensitive information on servers in plain text. Examples include passwords, usernames, and other sensitive information. 

Presto’s configuration files may include sensitive information, such as passwords and usernames to your data sources. In many enterprise organizations, this violates security policies, so we created a method to encrypt this information using Starburst Secrets. Secrets allow administrators to separate configuration files from this sensitive data by storing them in a Java keystore file. This allows the configuration files to only contain encrypted values of these sensitive config entries.

Starburst Secrets Architecture Graphic

The process is very straightforward and the steps include:

  1. Generate a keystore file with an alias for your encrypted value.
  2. Create a configuration file to inform Presto where to find the keystore file.
  3. Modify your config file(s) replacing the sensitive value with your alias.

 

Ok, let’s get started. 

 

First, we generate our keystore file and give it an alias. In this example, I used “oracle_connection_password” for my alias:

keytool -genseckey -alias oracle_connection_password -keyalg PBE -keystore presto-keystore.pfx -storetype PKCS12

 

Tip Icon TIP – You can have multiple aliases in one keystore file. You can just repeat the command above using a different alias. e.g.   keytool -genseckey -alias snowflake_connection_password -keyalg PBE -keystore presto-keystore.pfx -storetype PKCS12

 

Second, create a file named configuration-source.properties in /etc/presto that indicates to Starburst Presto that we’ll be using a keystore file to store our sensitive information:

configuration-source.properties:

keystore.enabled=true
keystore.file-path=/opt/keystores/presto-keystore.pfx
keystore.password=(the password you used when creating the keystore file above)

 

Third, modify my oracle.properties file that contains my Oracle password:

[root@ip-172-31-8-140 catalog]# cat oracle.properties

connector.name=oracle

connection-url=jdbc:oracle:thin:@<hostname>:1521/prod

connection-user=presto

connection-password=${ENV:oracle_connection_password}

oracle.impersonation.enabled=true

 

And that’s it! The secrets can be used in any of the Starburst Presto configuration files. We tried to make it as simple as possible to extract out sensitive information from configuration files.

Full documentation can be found here: https://docs.starburstdata.com/latest/security/secrets.html

 

If you have any questions, please feel free to reach out to us at hello@starburstdata.com