trini版本470
一、官方文档
doc
在Security/TLS and HTTPS、Security/PEM files和Security/JKS files下
openssl文档
二、配置trino
2.1 创建server.cnf文件
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req[ req_distinguished_name ]
countryName = CN
countryName_default = CN
stateOrProvinceName = BEIJING
stateOrProvinceName_default = BEIJING
localityName = CHAOYANG
localityName_default = CHAOYANG
0.organizationName = BAIDU
0.organizationName_default = BAIDU
organizationalUnitName = IT
organizationalUnitName_default = IT
commonName = trino
commonName_max = 64[ v3_req ]
basicConstraints = CA:FALSE
subjectAltName = @alt_names[ alt_names ]
IP.1 = 192.168.100.101
DNS.1 = trino-01.baidu.com2.2 重点
trino不支持pem文件,虽然文档里注明支持,但实际测试etc目录配置pem,trino无法识别启动后也不会报错,但keytool/jdbc等客户端无法获取正确的证书,获取到的是trino自动生成的证书,报错内容:unable to find valid certification path to requested target,可以通过idea连接jdbc开启-Djavax.net.debug=all获取到
这里我们check subjectAltName即可,其内容应该与server.cnf中配置的alt_names项目一致。此处可以看到完全不一致,另外"subject" : "CN=dev2"也像是自动生成的,subject内容应该就是openssl req -new ... -subj后的内容。
具体报错日志如下
javax.net.ssl|DEBUG|10|main|2025-04-03 18:36:16.771 CST|CertificateMessage.java:1143|Consuming server Certificate handshake message (
"Certificate": {"certificate_request_context": "","certificate_list": [ {"certificate" : {"version" : "v3","serial number" : "0195EFD62826","signature algorithm": "SHA256withRSA","issuer" : "CN=dev2","not before" : "2025-04-01 08:00:00.000 CST","not after" : "2035-04-02 07:59:59.000 CST","subject" : "CN=dev2","subject public key" : "RSA","extensions" : [{ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 49 CB 36 D3 DD 04 A9 EA 30 FD 47 86 79 51 F5 46 I.6.....0.G.yQ.F0010: BD B8 03 CB ....]]},{ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[CA:truePathLen: no limit]},{ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [DNSName: 192-168-122-1.ipDNSName: 192-168-100-101.ipDNSName: x--1.ipDNSName: 127-0-0-1.ipIPAddress: 192.168.122.1IPAddress: 192.168.100.101IPAddress: 0:0:0:0:0:0:0:1IPAddress: 127.0.0.1]},{ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 49 CB 36 D3 DD 04 A9 EA 30 FD 47 86 79 51 F5 46 I.6.....0.G.yQ.F0010: BD B8 03 CB ....]]}]}"extensions": {<no extension>}},
]
}
)
2.3 具体配置
# 1. 生成自签名根证书
openssl genrsa -out ca.key -passout pass:trino-ts -des3 2048
# -x509: This option outputs a self signed certificate instead of a certificate request
openssl req -x509 -key ca.key -out ca.crt -subj "/C=CN/ST=BEIJING/L=CHAOYANG/O=BAIDU/OU=IT/CN=CA"
openssl x509 -in ca.crt -text -noout# 2. 生成trino-server keystore内容
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=BEIJING/L=CHAOYANG/O=BAIDU/OU=IT/CN=trino-01.baidu.com"
openssl x509 -req -days 365 -in server.csr -out server.crt -extfile server.cnf -extensions v3_req -CA ca.crt -CAkey ca.key -CAcreateserial
# 验证所有信息
openssl x509 -in server.crt -text -noout
# 很多信息,当然也包含subjectAltName
# 只验证subjectAltName
openssl x509 -in server.crt -ext subjectAltName -noout
# X509v3 Subject Alternative Name:
# IP Address:192.168.100.101, DNS:trino-01.baidu.com
# 验证签名是否ok
openssl verify -CAfile ca.crt server.crt
# server.crt: OK
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt
# 输入:trino-01
openssl x509 -in server.crt -text -noout
openssl pkcs12 -info -in server.p12 # 需要多次输入:trino-01# 替换原有配置
rm -rf /$TRINO_HOME/etc/server.p12 && cp server.p12 /$TRINO_HOME/etc/# 3. 本地jdk注入自签名ca
# 删除
keytool -delete -storepass changeit -alias trino-ts -keystore /$JAVA_HOME/security/cacerts
# 注入
keytool -import -v -trustcacerts -alias trino-ts -file ca.crt -storepass changeit -keystore /$JAVA_HOME/security/cacerts
# 验证注入结果
keytool -list -storepass changeit -alias trino-ts -keystore /$JAVA_HOME/security/cacerts# 4. 修改config.properties,见下文
# 5. 重启trino server
$TRINO_HOME/bin/launcher restart# 6. 访问web页面
https://trino-01.baidu.com/ui/login.html# 7. 验证trino-server是否使用生产的证书(crt文件)。
# 使用其他服务器或者win获取trino的https证书即crt文件内容。
keytool -printcert -rfc -sslserver trino-01.baidu.com:443 > server-remote.crt
cat server-remote.crt # win命令是:type server-remote.crt
# 注意:此处得到的内容应和server.crt完全一致!!!
openssl x509 -in server-remote.crt -text -ext subjectAltName -noout
openssl verify -CAfile ca.crt server-remote.crt # server-remote.crt: OK
修改$TRINO_HOME/etc/config.properties文件
http-server.https.enabled=true
http-server.https.port=443
http-server.https.keystore.path=etc/server.p12
http-server.https.keystore.key=trino-01
2.4 win端配置jdk(可选dbeaver会用到)
修改win的jdk注入,自签名ca。
# win jdk
keytool -delete -storepass changeit -alias trino-ts -keystore %JAVA_HOME%\lib\security\cacerts
keytool -import -v -trustcacerts -alias trino-ts -file ca.crt -storepass changeit -keystore %JAVA_HOME%\lib\security\cacerts
三、jdbc验证
java/kotlin jdbc验证,此处使用kotlin语言:
TLS/SSL的debug日志需要在VM options处添加-Djavax.net.debug=all
通过tls/ssl需要使用如下方法(1)-(4)中的任意一种。
使用gradle构建项目,build.gradle内容:
plugins { id 'org.jetbrains.kotlin.jvm' version '1.9.23'
} group = 'com.ls'
version = '1.0-SNAPSHOT' repositories { maven { url "https://maven.aliyun.com/repository/public" } maven { url "https://maven.aliyun.com/repository/gradle-plugin" } maven { url "https://maven.aliyun.com/repository/central" } maven { url "https://maven.aliyun.com/repository/jcenter" } maven { url "https://maven.aliyun.com/repository/google" } maven { url "https://maven.aliyun.com/repository" } google() mavenCentral() maven { url 'https://jitpack.io' }
} dependencies { testImplementation 'org.jetbrains.kotlin:kotlin-test' testImplementation("io.trino:trino-jdbc:470")
} test { useJUnitPlatform()
}
kotlin { jvmToolchain(21)
}
import org.junit.jupiter.api.Test
import java.sql.DriverManager
import java.util.Properties class TrinoJdbcTest { @Test fun fistHead() { println("hello") } @Test fun tsHost() { val user = "myuser" val password = "your_password" val url = "jdbc:trino://trino-01.baidu.com:443/hive" runShowCatalog(url,user, password) } @Test fun tsIp() { val user = "myuser" val password = "your_password" val url = "jdbc:trino://192.168.100.101:443/hive" runShowCatalog(url,user, password) } fun runShowCatalog(url:String,user: String, password: String) { val props = Properties() props.put("user", user) props.put("password", password) props.put("SSL", "true") // (1) no Verification
// props.put("SSLVerification","NONE") // must set SSL as true! // (2) from Self Verificated CA props.put("SSLTrustStorePath", "D:\\certs\\ca.crt") // (3) from jvm CA,which is injected with Self Verificated CA // keytool -import -v -trustcacerts -alias trino-ts -file D:\certs\ca.crt -storepass changeit -keystore %JAVA_HOME%\lib\security\cacerts // must provide the password for jvm and it defualt is "changeit"// props.put("SSLTrustStorePath","%JAVA_HOME%\\lib\\security\\cacerts") // props.put("SSLTrustStorePassword","changeit") // 可选:optional client key store,client秘钥和证书的生成方式和sever的全称一致。 // openssl pkcs12 -export -out workspace-client.p12 -inkey workspace-client.key -in workspace-client.crt -passout pass:trino-client // props.put("SSLKeyStorePath","D:\\projects\\trino-jdbc-test\\src\\test\\resources\\workspace-client.pem") // failed // props.put("SSLKeyStorePath","D:\\certs\\client.pem") 、// props.put("SSLKeyStorePassword","trino-client") // maybe use SSLUseSystemKeyStore // props.put("SSLUseSystemTrustStore","true") Class.forName("io.trino.jdbc.TrinoDriver") val conn = DriverManager.getConnection(url, props) val stmt = conn.createStatement() val query = stmt.executeQuery("show catalogs") while (query.next()) { val db = query.getString(1) println(db) } } }