Security and Compliance
Authentication
Registering the connection
The Trino integration supports the following authentication methods to register a connection. The credentials provided must be for an account with the permissions listed in the Register a Trino connection guide.
Username and password: You can authenticate with your Trino username and password.
OAuth 2.0: You can authenticate with OAuth 2.0. Immuta's OAuth authentication method uses the Client Credentials Flow; when you register a connection, Immuta reaches out to your OAuth server to generate a JSON web token (JWT) and then passes that token to the Trino cluster. Therefore, when using OAuth authentication to register a connection in Immuta, configure your Trino cluster to use JWT authentication, not OpenID Connect or OAuth.
Identity providers for user authentication
The built-in Immuta IAM can be used as a complete solution for authentication and user entitlement. However, you can connect your existing identity management provider to Immuta to use that system for authentication and user entitlement instead.
Each of the supported identity providers includes a specific set of configuration options that enable Immuta to communicate with the IAM system and map the users, permissions, groups, and attributes into Immuta.
See the Identity managers guide for a list of supported providers and details.
See the Trino reference guide for details about user provisioning and mapping user accounts to Immuta.
System access control providers
Users cannot bypass Immuta controls by changing roles in their system access control provider.
Multiple system access control providers can be configured in the Trino integration. This approach allows Immuta to work with existing Trino installations that already have an access control provider configured.
Immuta does not manage all permissions in Trino, so it will default to allowing access to anything Immuta does not manage. This ensures that the Trino integration complements existing controls.
For example, if the Trino integration is configured to allow users write access to tables that are not protected by Immuta, you can still lock down write access for specific non-Immuta tables using an additional access control provider.
If you have multiple access control providers configured, those providers interact in the following ways:
For a user to have access to a resource (catalog, schema, or a table), that user must have access in all of the configured access control providers.
In catalog, schema, or table filtering (such as
show catalogs,show schemas, orshow tables), the user will see the intersection of all access control providers. For example, if a Trino environment includes the catalogspublic,demo, andrestrictedand one provider restricts a user from accessing therestrictedcatalog and another provider restricts the user from accessing thedemocatalog, runningshow catalogswill only return thepubliccatalog for that user.Only one column masking policy can be applied per column across all system access control providers. If two or more access control providers return a mask for a column, Trino will throw an error at query time.
For row filtering policies, the expression for each system access control provider is applied one after the other.
See the Customize the Immuta Trino plugin page for details on configuring multiple access control providers.
Auditing and compliance
Immuta provides auditing features and governance reports so that data owners and governors can monitor users' access to data and detect anomalies in behavior.
You can view the information in these audit logs on dashboards or export the full audit logs to S3 and ADLS for long-term backup and processing with log data processors and tools. This capability fosters convenient integrations with log monitoring services and data pipelines.
See the Audit documentation for details about these capabilities and how they work with the Trino integration.
Trino query audit
Immuta captures queries in Trino, making audit records more useful in assessing what users are doing. To audit Trino queries, Immuta uses the Trino event listener to translate events in comprehensive audit logs. Immuta will only audit queries from Immuta users on objects registered as Immuta data sources.
Query audit is enabled by default on all Trino integrations, but you can disable it when registering the connection by changing the following properties in the configuration file: immuta.audit.legacy.enabled and immuta.audit.uam.enabled.
See the Trino query audit logs page for audit log contents and an example of the resulting audit record.
Governance reports
Immuta governance reports allow users with the GOVERNANCE Immuta permission to use a natural language builder to instantly create reports that delineate user activity across Immuta. These reports can be based on various entity types, including users, groups, projects, data sources, purposes, policy types, or connection types.
See the Governance report types page for a list of report types and guidance.
Last updated
Was this helpful?