Why does Trino require HTTPS for user/pass? (the answer may surprise you)

One of the questions that gets asked by people first starting out with Trino is “why does it require HTTPS for enabling username AND passwords?”

This is debated quite a bit, but, if you think about how your username/password are sent over the network, and how often a plaintext string is easy to capture, providing an easy way for “bad folks” to get sensitive information needed to be dealt with early on.

And as we see in (near) daily headlines, a data breach happens more frequently as more people/devices get connected.

So the simplest way to deal with this issue… don’t allow people to send plaintext passwords in the first place! Realistically, modern applications are moving away from passwords over HTTP, as has been an industry norm for more than a decade.

“So help me setup Trino really quickly where I can use username/password and get up and running!”

First, you need to know how you want to identify a user.
Password file? LDAP? JSON Web Tokens (“JWT”)?

Password files are pretty simple to understand and configure, so we will start with that.

In short:

  1. Generate a username and password using htpasswd tool and store the entries one per line
    Password file authentication — Trino 363 Documentation

  2. Acquire an SSL certificate (PEM or JKS) for the coordinator
    PEM files — Trino 363 Documentation
    JKS files — Trino 363 Documentation

  3. Configure the coordinator to communicate over 8443 (instead of 8080, the default)
    HTTPS and TLS — Trino 363 Documentation

  4. Configure your client application to use HTTPS
    JDBC driver — Trino 363 Documentation

NOTE: if you are using self-signed certificates, you might need to type in “thisisunsafe” into your web browser. (no quotes)

2 Likes