trini版本470
一、官方文档
doc
在Security/TLS and HTTPS、Security/PEM files和Security/JKS files下
二、配置trino
2.1 创建server.cnf文件
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = CN
countryName_default = CN
stateOrProvinceName = BEIJING
stateOrProvinceName_default = BEIJING
localityName = CHAOYANG
localityName_default = CHAOYANG
0.organizationName = BAIDU
0.organizationName_default = BAIDU
organizationalUnitName = IT
organizationalUnitName_default = IT
commonName = trino
commonName_max = 64
[ v3_req ]
basicConstraints = CA:FALSE
subjectAltName = @alt_names
[ alt_names ]
IP.1 = 192.168.100.101
DNS.1 = trino-01.baidu.com
2.2 重点
trino不支持pem文件,虽然文档里注明支持,但实际测试etc目录配置pem,trino无法识别启动后也不会报错,但keytool/jdbc等客户端无法获取正确的证书,获取到的是trino自动生成的证书,报错内容:unable to find valid certification path to requested target,可以通过idea连接jdbc开启-Djavax.net.debug=all获取到
这里我们check subjectAltName即可,其内容应该与server.cnf中配置的alt_names项目一致。此处可以看到完全不一致,另外"subject" : "CN=dev2"也像是自动生成的,subject内容应该就是openssl req -new ... -subj后的内容。
具体报错日志如下
javax.net.ssl|DEBUG|10|main|2025-04-03 18:36:16.771 CST|CertificateMessage.java:1143|Consuming server Certificate handshake message (
"Certificate": {
"certificate_request_context": "",
"certificate_list": [
{
"certificate" : {
"version" : "v3",
"serial number" : "0195EFD62826",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dev2",
"not before" : "2025-04-01 08:00:00.000 CST",
"not after" : "2035-04-02 07:59:59.000 CST",
"subject" : "CN=dev2",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 49 CB 36 D3 DD 04 A9 EA 30 FD 47 86 79 51 F5 46 I.6.....0.G.yQ.F
0010: BD B8 03 CB ....
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen: no limit
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: 192-168-122-1.ip
DNSName: 192-168-100-101.ip
DNSName: x--1.ip
DNSName: 127-0-0-1.ip
IPAddress: 192.168.122.1
IPAddress: 192.168.100.101
IPAddress: 0:0:0:0:0:0:0:1
IPAddress: 127.0.0.1
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 49 CB 36 D3 DD 04 A9 EA 30 FD 47 86 79 51 F5 46 I.6.....0.G.yQ.F
0010: BD B8 03 CB ....
]
]
}
]}
"extensions": {
<no extension>
}
},
]
}
)
2.3 具体配置
# 1. 生成自签名根证书
openssl genrsa -out ca.key -passout pass:trino-ts -des3 2048
# -x509: This option outputs a self signed certificate instead of a certificate request
openssl req -x509 -key ca.key -out ca.crt -subj "/C=CN/ST=BEIJING/L=CHAOYANG/O=BAIDU/OU=IT/CN=CA"
openssl x509 -in ca.crt -text -noout
# 2. 生成trino-server keystore内容
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=BEIJING/L=CHAOYANG/O=BAIDU/OU=IT/CN=trino-01.baidu.com"
openssl x509 -req -days 365 -in server.csr -out server.crt -extfile server.cnf -extensions v3_req -CA ca.crt -CAkey ca.key -CAcreateserial
# 验证所有信息
openssl x509 -in server.crt -text -noout
# 很多信息,当然也包含subjectAltName
# 只验证subjectAltName
openssl x509 -in server.crt -ext subjectAltName -noout
# X509v3 Subject Alternative Name:
# IP Address:192.168.100.101, DNS:trino-01.baidu.com
# 验证签名是否ok
openssl verify -CAfile ca.crt server.crt
# server.crt: OK
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt
# 输入:trino-01
openssl x509 -in server.crt -text -noout
openssl pkcs12 -info -in server.p12 # 需要多次输入:trino-01
# 替换原有配置
rm -rf /$TRINO_HOME/etc/server.p12 && cp server.p12 /$TRINO_HOME/etc/
# 3. 本地jdk注入自签名ca
# 删除
keytool -delete -storepass changeit -alias trino-ts -keystore /$JAVA_HOME/security/cacerts
# 注入
keytool -import -v -trustcacerts -alias trino-ts -file ca.crt -storepass changeit -keystore /$JAVA_HOME/security/cacerts
# 验证注入结果
keytool -list -storepass changeit -alias trino-ts -keystore /$JAVA_HOME/security/cacerts
# 4. 修改config.properties,见下文
# 5. 重启trino server
$TRINO_HOME/bin/launcher restart
# 6. 访问web页面
https://trino-01.baidu.com/ui/login.html
# 7. 验证trino-server是否使用生产的证书(crt文件)。
# 使用其他服务器或者win获取trino的https证书即crt文件内容。
keytool -printcert -rfc -sslserver trino-01.baidu.com:443 > server-remote.crt
cat server-remote.crt # win命令是:type server-remote.crt
# 注意:此处得到的内容应和server.crt完全一致!!!
openssl x509 -in server-remote.crt -text -ext subjectAltName -noout
openssl verify -CAfile ca.crt server-remote.crt # server-remote.crt: OK
修改$TRINO_HOME/etc/config.properties文件
http-server.https.enabled=true
http-server.https.port=443
http-server.https.keystore.path=etc/server.p12
http-server.https.keystore.key=trino-01
2.4 win端配置jdk(可选dbeaver会用到)
修改win的jdk注入,自签名ca。
# win jdk
keytool -delete -storepass changeit -alias trino-ts -keystore %JAVA_HOME%\lib\security\cacerts
keytool -import -v -trustcacerts -alias trino-ts -file ca.crt -storepass changeit -keystore %JAVA_HOME%\lib\security\cacerts
三、jdbc验证
java/kotlin jdbc验证,此处使用kotlin语言:
TLS/SSL的debug日志需要在VM options处添加-Djavax.net.debug=all
通过tls/ssl需要使用如下方法(1)-(4)中的任意一种。
使用gradle构建项目,build.gradle内容:
plugins {
id 'org.jetbrains.kotlin.jvm' version '1.9.23'
}
group = 'com.ls'
version = '1.0-SNAPSHOT'
repositories {
maven { url "https://maven.aliyun.com/repository/public" }
maven { url "https://maven.aliyun.com/repository/gradle-plugin" }
maven { url "https://maven.aliyun.com/repository/central" }
maven { url "https://maven.aliyun.com/repository/jcenter" }
maven { url "https://maven.aliyun.com/repository/google" }
maven { url "https://maven.aliyun.com/repository" }
google()
mavenCentral()
maven { url 'https://jitpack.io' }
}
dependencies {
testImplementation 'org.jetbrains.kotlin:kotlin-test'
testImplementation("io.trino:trino-jdbc:470")
}
test {
useJUnitPlatform()
}
kotlin {
jvmToolchain(21)
}
import org.junit.jupiter.api.Test
import java.sql.DriverManager
import java.util.Properties
class TrinoJdbcTest {
@Test
fun fistHead() {
println("hello")
}
@Test
fun tsHost() {
val user = "myuser"
val password = "your_password"
val url = "jdbc:trino://trino-01.baidu.com:443/hive"
runShowCatalog(url,user, password)
}
@Test
fun tsIp() {
val user = "myuser"
val password = "your_password"
val url = "jdbc:trino://192.168.100.101:443/hive"
runShowCatalog(url,user, password)
}
fun runShowCatalog(url:String,user: String, password: String) {
val props = Properties()
props.put("user", user)
props.put("password", password)
props.put("SSL", "true")
// (1) no Verification
// props.put("SSLVerification","NONE") // must set SSL as true!
// (2) from Self Verificated CA props.put("SSLTrustStorePath", "D:\\certs\\ca.crt")
// (3) from jvm CA,which is injected with Self Verificated CA
// keytool -import -v -trustcacerts -alias trino-ts -file D:\certs\ca.crt -storepass changeit -keystore %JAVA_HOME%\lib\security\cacerts
// must provide the password for jvm and it defualt is "changeit"
// props.put("SSLTrustStorePath","%JAVA_HOME%\\lib\\security\\cacerts")
// props.put("SSLTrustStorePassword","changeit")
// 可选:optional client key store,client秘钥和证书的生成方式和sever的全称一致。
// openssl pkcs12 -export -out workspace-client.p12 -inkey workspace-client.key -in workspace-client.crt -passout pass:trino-client
// props.put("SSLKeyStorePath","D:\\projects\\trino-jdbc-test\\src\\test\\resources\\workspace-client.pem") // failed
// props.put("SSLKeyStorePath","D:\\certs\\client.pem") 、
// props.put("SSLKeyStorePassword","trino-client") // maybe use SSLUseSystemKeyStore
// props.put("SSLUseSystemTrustStore","true")
Class.forName("io.trino.jdbc.TrinoDriver")
val conn = DriverManager.getConnection(url, props)
val stmt = conn.createStatement()
val query = stmt.executeQuery("show catalogs")
while (query.next()) {
val db = query.getString(1)
println(db)
}
}
}