Trino/Presto Catalog Policies
Audience: System Administrators
Content Summary: This page documents an example of a Trino/Presto Catalog policy, which can be used to protect sensitive data in your Trino/Presto cluster before Immuta is installed.
Trino/Presto Catalog Policy
The configuration of Trino/Presto catalog policies described below does not pertain to Immuta configuration
or Immuta policies; this configuration manages access to sensitive data before Immuta is installed. Once Immuta
is installed, Immuta's Subscription policies dynamically enforce access restrictions within the immuta
catalog,
so if you opt to use the configuration below, it should be removed after Immuta is installed.
Immuta and Presto
All data sources created in Immuta will exist in the immuta
catalog created by the System Administrator who installs
the Presto plugin. However, if organizations add sensitive data to Trino/Presto and need to restrict access to
catalogs before Immuta is installed, they can do so by using the
File System Access Control plugin, which
controls access using catalog, schema, and table rules:
The catalog rules are course grained rules used to restrict all access or write access to catalogs. They do not explicitly grant any specific schema or table permissions. The table and schema rules are used to specify who can create, drop, alter, select, insert, delete, etc. for schemas and tables.
Follow the steps below to create a catalog policy to restrict access to your Trino/Presto data before Immuta is installed.
Configure Catalog Policies in Trino/Presto
- Follow Presto/Trino's configuration documentation to install the plugin, which allows you to specify authorization rules in a JSON file.
- Create a catalog policy to manage access to the catalogs in Trino/Presto by following their documentation to add a catalog policy to the JSON file.
Presto Catalog Policy Example
The following catalog policy gives every user access to immuta
and only super_admin_user
can access catalogs
besides immuta
.
{
"catalogs": [
{
"user": "super_admin_user",
"catalog": "postgres|ambari|redshift|mysql|oracle",
"allow": "all"
},
{
"catalog": "immuta",
"allow": "all"
},
{
"catalog": "postgres|ambari|redshift|mysql|oracle",
"allow": "none"
}
]
}