Skip to content

You are viewing documentation for Immuta version 2022.2.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Starburst (Trino) Integration

Audience: System Administrators

Content Summary: This page describes the Starburst (Trino) integration, through which Immuta applies policies directly in the user's native technology.

See the Starburst (Trino) integration page for a tutorial on enabling the integration and these features through the App Settings page.

Starburst and Trino

Starburst is based on open-source Trino. Because Immuta integrates with both cluster types, our documentation refers to this integration throughout as Starburst (Trino).

Overview

Immuta connects to Starburst (Trino) as a plugin integration. This allows Immuta to apply policies directly in Starburst (Trino) without data flowing through a proxy. Users can work with their existing tools (querying, reporting, etc.) and have per-user policies applied into views at query time.

Architecture

Once the plugin has been pushed out to all nodes, administrators create an immuta catalog that is managed by the custom Immuta Trino connector that generates the list of available schemas and views at query time based on the user making the request. When a user executes a query against one of the Immuta views, the connector dynamically generates the view definition and provides that to the Trino execution engine, which then connects to the backing catalogs and retrieves the data with appropriate policy enforcement.

Policy Enforcement

This integration uses an immuta-trino plugin to create policy-enforced view definitions that users access through an immuta catalog. (Note that even though the plugin is named immuta-trino it works and comes pre-installed with Starburst Enterprise.) When Starburst (Trino) tables are registered in Immuta as data sources, these data sources are dynamically generated as views in the immuta catalog on the Starburst (Trino) node. Then, users subscribed to those data sources in Immuta query the corresponding protected views in Starburst (Trino).

Changes to policies, user attributes, or data sources registered in Immuta trigger webhooks that keep these views up-to-date, empowering users to query policy-enforced data.

Data Flow

  1. An Immuta Application Administrator configures the Starburst (Trino) integration, creating an Immuta catalog and connector on their Starburst (Trino) node.
  2. Immuta creates a catalog inside the configured Starburst (Trino) node.
  3. A Data Owner registers Starburst (Trino) tables in Immuta as data sources. A Data Owner, Data Governor, or Administrator creates or changes a policy or user in Immuta.
  4. Data source metadata, tags, user metadata, and policy definitions are stored in Immuta's Metadata Database.
  5. The Immuta connector generates and provides the view definition to the Trino Execution Engine.
  6. A Starburst (Trino) user who is subscribed to the data source in Immuta queries the corresponding table directly in Starburst (Trino) through the immuta database.
  7. Using the querying user's project, purpose, and entitlements, Immuta applies policies to the views at query time, so the user sees policy-enforced data.

Trino Integration