Skip to content

You are viewing documentation for Immuta version 2023.1.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

cancel

Starburst (Trino) Catalog Policies

Audience: System Administrators

Content Summary: This page documents an example of a Starburst (Trino) Catalog policy, which can be used to protect sensitive data in your Starburst (Trino) cluster before Immuta is installed.

Starburst (Trino) Catalog Policy

The configuration of Starburst (Trino) catalog policies described below does not pertain to Immuta configuration or Immuta policies; this configuration manages access to sensitive data before Immuta is installed. Once Immuta is installed, Immuta's Subscription policies dynamically enforce access restrictions within the immuta catalog, so if you opt to use the configuration below, it should be removed after Immuta is installed.

Immuta and Starburst (Trino)

All data sources created in Immuta will exist in the immuta catalog created by the System Administrator who configures the Starburst (Trino) integration. However, if organizations add sensitive data to Starburst (Trino) and need to restrict access to catalogs before Immuta is installed, they can do so by using the File System Access Control plugin, which controls access using catalog, schema, and table rules:

The catalog rules are course grained rules used to restrict all access or write access to catalogs. They do not explicitly grant any specific schema or table permissions. The table and schema rules are used to specify who can create, drop, alter, select, insert, delete, etc. for schemas and tables.

Follow the steps below to create a catalog policy to restrict access to your Starburst (Trino) data before Immuta is installed.

Configure Catalog Policies in Starburst (Trino)

  1. Follow Trino's configuration documentation to install the plugin, which allows you to specify authorization rules in a JSON file.
  2. Create a catalog policy to manage access to the catalogs in Starburst (Trino) by following their documentation to add a catalog policy to the JSON file.

Starburst (Trino) Catalog Policy Example

The following catalog policy gives every user access to immuta and only super_admin_user can access catalogs besides immuta.

{
  "catalogs": [
    {
        "user": "super_admin_user",
        "catalog": "postgres|ambari|redshift|mysql|oracle",
        "allow": "all"
    },
    {
      "catalog": "immuta",
      "allow": "all"
    },
    {
      "catalog": "postgres|ambari|redshift|mysql|oracle",
      "allow": "none"
    }
  ]
}