Unable to add password based authentication

[ankitagupta122]

I am trying to add password based authentication on my trino server (using official trino helm). I already have a https url created for my server using LB: "https://hostname:443"
Below are my configurations:
values.yaml

config:
    path: /etc/trino
    http:
      port: 8080
    https:
      enabled: false
      port: 8443
      keystore:
        path: ""
    authenticationType: PASSWORD

config.properties (coordinator):

coordinator=true
node-scheduler.include-coordinator=false
http-server.http.port=8080
query.max-memory={{ .Values.server.config.coordinator.query.maxMemory }}
query.max-memory-per-node={{ .Values.server.config.coordinator.query.maxMemoryPerNode }}
discovery-server.enabled=true
discovery.uri=https://localhost:8080
{{- if .Values.server.config.authenticationType }}
 http-server.authentication.type={{ .Values.server.config.authenticationType }}
 internal-communication.shared-secret=<>
{{- end }}

config.properties (worker):

coordinator=false
http-server.http.port=8080
query.max-memory={{ .Values.server.config.worker.query.maxMemory }}
query.max-memory-per-node={{ .Values.server.config.worker.query.maxMemoryPerNode }}
discovery.uri=http://{{ template "trino.fullname" . }}:8080
{{- if .Values.server.config.authenticationType }}
    internal-communication.shared-secret=<>
{{- end }}

I tried with multiple configurations but nothing is working. Not sure what needs to be added in order to enable authentication.

[electrum]

The generated coordinator config.properties should contain

http-server.authentication.type=PASSWORD

Double check the generated file to just be sure that is working properly.

Did you also add a etc/password-authenticator.properties file? See password file or LDAP authentication.

[electrum]

It looks like the chart will generate password-authenticator.properties for you. It references a password database that you would need to create

file.password-file={{ .Values.server.config.path }}/auth/password.db

[electrum]

If you're terminating TLS on the load balancer, I think you will need to add the following to the coordinator config.properties:

http-server.process-forwarded=true

See documentation about load balancers

[ankitagupta122]

I am creating password.db where I am passing user and password. Also password-authenticator.properties is created with path of .db file.
http-server.authentication.type=PASSWORD is added to config.properties.
I have created https referring to this document by creating a pem file, which is adding below configs to my config.properties:

http-server.https.enabled=true
http-server.https.port=8443
http-server.https.keystore.path=/etc/trino/pem/trino.pem
internal-communication.shared-secret=<>

This is creating a https for my UI but when I am adding PASSWORD authentication to the https, UI is getting disabled saying "Web Interface is Disabled"

[ankitagupta122]

@electrum could you help here?

[chinayangze]

@electrum could you help here?

http-server.authentication.allow-insecure-over-http=true

[noahshpak]

in my case I had run htpasswd -B -c foo bar without the -B flag. Would be super nice if the coordinator failed to spin up with an invalid pass!

[gauravmohta]

was anyone able to resolve this? I am currently stuck at the same issue where I have enabled PASSWORD authentication, however the UI still displays password auth disabled.
@ankitagupta122 maybe?

[SrikanthNallela]

it requires ssl configuration. you cant see password until you enable SSL in trino.its in documentation

[hashhar]

It seems this has already been answered. To allow authentication coordinator needs to be either behind an LB that terminates TLS or be configured with TLS itself.

This is described in detail in the docs at https://trino.io/docs/current/security/authentication-types.html (the first few paragraphs) + https://trino.io/docs/current/security/overview.html