Presto Access Pattern (Beta)
Audience: System Administrators
Content Summary: This page describes the Native Presto access pattern, through which Immuta applies policies directly in Presto.
The native Presto access pattern applies policies directly in PrestoSQL without users going through the Immuta Query Engine. This means users can use their existing Presto tooling (querying, reporting, etc.) and have per-user policies dynamically applied at query time.
This feature works with an Immuta Presto connector that is fully dynamic. It generates the list of available schemas and views at query time based on each individual user. After a user executes a query against an Immuta view, the connector dynamically generates a view definition to provide to the Presto execution engine. This definition will then connect the engine to backing catalogs and retrieve the data with the appropriate policy enforcement.
In addition to configuring this access pattern on the App Settings page, Administrators will also need to install the Immuta Presto plugin on all Presto nodes within their cluster.
Once the plugin has been pushed out to all nodes, they will also need to create an
Immuta catalog, which will be
managed by a custom Immuta Presto connector that will generate the list of available schemas and views at
query time based on the user making the request. When a user executes a query against one of the Immuta views,
the connector dynamically generates the view definition and provides that to the Presto execution engine, which
then connects to the backing catalogs and retrieves the data with appropriate policy enforcement.
Policies are enforced directly into the dynamically generated views. The views will include a JOIN to a fact table containing the querying users' groups, authorities, purposes, and current projects. This user profile information is not a static row in a table but rather a dynamic dummy clause to be generated at query time.
Immuta will not be able to accurately represent certain policies in Presto, and data sources with these policies applied will not appear in the Immuta catalog. This limitation includes data sources
- with an external policy handler, or
- that are using the Advanced Rules DSL.
Certain interpolation functions can block the creation of a native view, specifically
Presto supports an optional anonymous (no authentication) access, which is not supported through Immuta because we have to tie the Presto user account to the Immuta user account to correctly apply policies. If your organization allows anonymous access, you will not be able to leverage the native Immuta integration.
Native Presto in Immuta is only compatible with PrestoSQL. PrestoDB is not supported.