Trino Connection Reference Guide

Using the Trino connection, you can register a Trino integration for your open-source Trino or Starburst Enterprise cluster. See the Starburst (Trino) integration reference guide for additional details about the Trino integration.

What does Immuta do in my Trino cluster?

Registering a connection

Immuta utilizes connections to register and manage data from your Trino cluster. Instead of registering individual catalogs, connections enable you to register an entire data platform at once. This approach simplifies data registration and allows Immuta to automatically monitor your Trino platform for changes. Data sources are then added or removed to reflect the current state of your data platform.

When the connection is registered, Immuta ingests and stores connection metadata in the Immuta metadata database.

Immuta presents a hierarchical view of your data that reflects the hierarchy of objects in Trino after registration is complete:

• Cluster

• Catalog

• Schema

• Tables

Beyond making the registration of your data more intuitive, connections provide more control. Instead of performing operations on individual schemas or tables, you can perform operations (such as object sync) at the connection level.

See the Connections reference guide for details about connections and how to manage them. To configure your Trino connection, see the Register a Trino connection guide.

Required Trino privileges

The privileges that the Trino connection requires align to the least privilege security principle. The table below describes the privilege required by the IMMUTA_SYSTEM_ACCOUNT user.

Maintaining state with Trino

The following user actions spur various processes in the Trino connection so that Immuta data remains synchronous with data in Trino. The list below provides an overview of each process:

• Data source created or updated: Immuta registers data source metadata and stores that metadata in the Immuta metadata database.

• Data source deleted: Immuta deletes the data source metadata from the metadata database.

• User account is mapped to Immuta: When a user account is mapped to Immuta, their metadata is stored in the metadata database.

Supported object types

Security and compliance

Authentication methods

The Trino integration supports the following authentication methods to register a connection. The credentials provided must be for an account with the permissions listed in the Register a Trino connection page.

• Username and password: You can authenticate with your Starburst (Trino) username and password.

• OAuth 2.0: You can authenticate with OAuth 2.0. Immuta's OAuth authentication method uses the Client Credentials Flow; when you register a data source, Immuta reaches out to your OAuth server to generate a JSON web token (JWT) and then passes that token to the Starburst (Trino) cluster. Therefore, when using OAuth authentication to create data sources in Immuta, configure your Starburst (Trino) cluster to use JWT authentication, not OpenID Connect or OAuth.

User registration and ID mapping

The built-in Immuta IAM can be used as a complete solution for authentication and user entitlement. However, you can connect your existing identity management provider to Immuta to use that system for authentication and user entitlement instead. Each of the supported IAM protocols includes a set of configuration options that enable Immuta to communicate with the IAM system and map the users, permissions, groups, and attributes into Immuta.

For policies to impact the right users, the user account in Immuta must be mapped to the user account in Trino. You can ensure these accounts are mapped correctly in the following ways:

• Automatically: If usernames in Trino align with usernames in the external IAM and those accounts align with an IAM attribute, you can enter that IAM attribute on the app settings page to automatically map user IDs in Immuta to Trino.

• Manually: You can manually map user IDs for individual users.

For guidance on connecting your IAM to Immuta, see the how-to guide for your protocol.