Register a Trino Connection

Requirement

• Trino cluster or Starburst Enterprise

Permissions

The user registering the connection must have the permissions below.

• APPLICATION_ADMIN Immuta permission

• The Trino user must have the ability to

  • Create a new file in the Trino etc directory

  • Create a new Trino user and grant that new user permissions

Create the system account user

In Trino, create a new system account user with the privileges listed below. Immuta uses this system account continuously to crawl the connection, maintain state between Immuta and Trino, and run identification.

• SELECT on all securables you want registered in Immuta as data sources

Register a Trino connection

1. In Immuta, click Data and select Connections in the navigation menu.

2. Click the + Add Connection button.

3. Select the Trino tile.

4. Enter the cluster connection information:

   1. Display Name: This is the name of your new connection. This name will be used in the API (connectionKey), in data source names from the host, and on the connections page.

   2. Hostname: URL of your Trino cluster.

   3. Port: Port configured for Trino.

   4. SSL Mode: Use the dropdown to select the SSL mode to connect to the host.

      1. Enabled: Use this mode if you have http-server.https.enabled=true set in your Trino cluster's config.properties file.

      2. Disabled: Use this mode for plain, unencrypted connections (e.g., your URL starts with http://).

   5. Certificate Validation: Use the dropdown to select whether to require certificate validation to connect to the host.

      1. Enabled: Use this to ensure Immuta verifies that the server's certificate was issued by a trusted Certificate Authority (CA).

      2. Disabled: Use this setting if you are using a self-signed certificate to skip certificate validation for the connection.

5. Select the authentication method from the dropdown and enter the credentials of the Trino user you created above.

   1. Username and Password: Enter the username and password for the system account user.

   2. OAuth 2.0 with Client Secret:

      • Fill out the Token Endpoint with the full URL of the identity provider. This is where the generated token is sent.

      • Fill out the Client ID. This is a combination of letters, numbers, or symbols, used as a public identifier. This is the subject of the generated token.

      • Enter the Scope (string). The scope limits the operations allowed in Trino by the access token. See the OAuth 2.0 documentation for details about scopes.

      • Enter the Client Secret. Immuta uses this secret to authenticate with the authorization server when it requests a token.

   3. OAuth 2.0 with Client Certificate:

      1. Fill out the Token Endpoint with the full URL of the identity provider. This is where the generated token is sent.

      2. Fill out the Client ID. This is a combination of letters, numbers, or symbols, used as a public identifier. This is the subject of the generated token.

      3. Enter the Scope (string). The scope limits the operations allowed in Trino by the access token. See the OAuth 2.0 documentation for details about scopes.

      4. Opt to fill out the Resource field with a URI of the resource where the requested token will be used.

      5. Enter the x509 Certificate Thumbprint. This identifies the corresponding key to the token and is often abbreviated as `x5t` or is called `sub` (Subject).

      6. Upload the Client Certificate, which is used to sign the authorization request.

6. Click Save connection.

   1. If you are using Starburst, move on to the next step.

   2. If you are using open-source Trino, you must download the Immuta Trino plugin and add it to your Trino cluster.

      1. The Immuta Trino plugin version matches the version of the corresponding Trino releases. Navigate to the Immuta GitHub repository for a list of supported Trino versions. Immuta follows Starburst's release cycle, but you can contact your Immuta representative for a specific Trino OSS release.

      2. Download the assets for the release that corresponds to your Trino version.

      3. Enable Immuta on your cluster:

         1. Docker installations

            1. Follow Trino's documentation to install the plugin archive on all nodes in your cluster.

            2. Create the Immuta access control configuration file in the Trino configuration directory: /etc/trino/immuta-access-control.properties.

         2. Standalone installations

            1. Follow Trino's documentation to install the plugin archive on all nodes in your cluster.

            2. Create the Immuta access control configuration file in the Trino configuration directory: <trino_install_directory>/etc/immuta-access-control.properties.

7. On the Next Steps page, copy the provided immuta-access-control.properties file. It is pre-populated with the required fields:

   1. access-control.name: Leave this as immuta.

   2. immuta.endpoint: This is your tenant URL. Use the value provided in the file.

   3. immuta.apikey: This is how Immuta applies policy to your users' queries. Use the value provided in the file.

   4. immuta.user.admin: This is your Trino system account user. To ensure tables can be properly ingested into Immuta, no Immuta policies will ever apply to this user. Use the value pre-populated in the file to match the username you initially used to create the connection.

8. Customize any other properties in the file. See the Trino integration how-to page for detailed descriptions of all the properties.

9. Once your file is customized, add it to your Trino cluster's etc folder.

10. Enable the Immuta access control plugin in your Trino cluster's config.properties file:

    Copy

    access-control.config-files=/etc/trino/immuta-access-control.properties

11. Ensure you have completed all the connection steps, and click Finish.