Add KeyStore based CredentialProvider for JDBC based connectors

[Praveen2112]

No description provided.

[kokosing]

I will merge it once the release goes out.

[kokosing]

Merged, thanks!

[optimus-kart]

Had a hard time figuring out how to enable this on my trinodb deployment, adding the details here for people who might be looking for the same
Requirement: keytool, this must be pre-installed on your system if you have a valid java installation

if your MySQL username is root and MySQL password is password ( I am sure I don't have to explain why that's a bad password )
use the following command to store the username under mysql-user alias

keytool -importpassword -alias mysql-user -keystore credentials.jcek -storetype jceks

You will see the following o/p

Enter keystore password: <enter password for keystore>  
Re-enter new password:  <re-enter the above password>
Enter the password to be stored:   <username for mysql server (since we are storing username) "root" in this case>
Re-enter password:  <re-enter the above value>
Enter key password for <mysql-user> : <set a password for this key>
	(RETURN if same as keystore password):  
Re-enter new password:  <re-enter the above value>

With this, you would have successfully store the username in the keystore,
now to store the password in the same file, use the following command

keytool -importpassword -alias mysql-password -keystore credentials.jcek -storetype jceks

You will see the following prompt

Enter keystore password:  <enter the keystore-password used while creating the keystore file earlier>
Enter the password to be stored: <enter mysql-password>  
Re-enter password:  <enter mysql-password (password in this case)>
Enter key password for <mysql-password>: <enter the password for storing this key>
	(RETURN if same as keystore password):

Once this is done, you would have a credentials.jcek file with both the username and password for your MySQL server.
Now you can update the catalog.properties as below

connector.name=mysql #you can use any other supported connector
connection-url=jdbc:<mysql-endpoint>:3306
credential-provider.type=KEYSTORE
keystore-file-path=/path/to/credentials.jcek <created above using keytool>
keystore-type=JCEKS
keystore-password=<keystore-level-password>
keystore-user-credential-password=<password for alias mysql-user>
keystore-password-credential-password=<password for alias mysql-password>
keystore-user-credential-name=mysql-user <alias name used to store the MySQL user name>
keystore-password-credential-name=mysql-password <alias name used to store the MySQL password>

Hope this helps

[kokosing]

@mosabua Can capture the above as part of the documentation?

[mosabua]

@kokosing I am missing context here.. what is that provider? Is there any existing docs for it or the related properties? Does this apply to all JDBC connectors (and hence needs to be done as imported fragment or so)? Are there other credential providers?

[kokosing]

That is the point. It is not documented.

By default we are using (for all JDBC connectors):

credential-provider.type=INLINE

Which allows users to define

connection-user=ala
connection-password=hasło

Other option is to use:

credential-provider.type=FILE

Then user has to define the below in connector properties file:

connection-credential-file=jdbc_connector_credentials.properties

Then in jdbc_connector_credentials.properties file they can provide:

connection-user=ala
connection-password=hasło

And the last is credential-provider.type=KEYSTORE which is explained above.

Thanks to credential-provider.type users are able store credentials to their remote data sources encrypted. In some cases it may increase the security, in other it is just security theater. To make it reasonable, only the that runs Trino process should be able to read credential files and no sudo access for anyone. So typical admin user can see Trino configuration but not credentials.

[kokosing]

CC: @Praveen2112 anything to add?

[mosabua]

@Ordinant @jhlodin @rosewms @m57lyra - please create a github issue for the above and assist @Jessie212 with implementation.