# Register a Trino Connection

## Requirements

**For Trino connections**

* Trino cluster

**For Starburst connections**

* A valid [Starburst Enterprise license](https://docs.starburst.io/latest/license-requirements.html).
* The Starburst Cluster must be publicly accessible or have [private connectivity](/saas/configuration/application-configuration/how-to-guides/private-networking-support/data-connection-private-networking/index-2.md) configured.

## Permissions

The user registering the connection must have the permissions below.

* `APPLICATION_ADMIN` Immuta permission
* The Trino user must have the ability to
  * Create a new file in the Trino `etc` directory
  * Create a new Trino user and grant that new user permissions

## Create the system account user

In Trino, create a new system account user with the privileges listed below. Immuta uses this system account continuously to crawl the connection, maintain state between Immuta and Trino, and run identification.

* `SELECT` on all securables you want registered in Immuta as data sources

## Register a Trino connection

1. In Immuta, click <i class="fa-database">:database:</i> **Data** and select **Connections** in the navigation menu.
2. Click the **+ Add Connection** button.
3. Select the **Trino** tile.
4. Enter the cluster connection information:
   1. **Display Name**: This is the name of your new connection. This name will be used in the API (`connectionKey`), in data source names from the host, and on the connections page. Avoid the use of periods (`.`) or [restricted words](#user-content-fn-1)[^1] in your connection name.
   2. **Hostname**: URL of your Trino cluster.
   3. **Port**: Port configured for Trino.
   4. **SSL Mode**: Use the dropdown to select the SSL mode to connect to the host.
      1. **Enabled**: Use this mode if you have `http-server.https.enabled=true` set in your Trino cluster's `config.properties` file.
      2. **Disabled**: Use this mode for plain, unencrypted connections (e.g., your URL starts with `http://`).
   5. **Certificate Validation**: Use the dropdown to select whether to require certificate validation to connect to the host.
      1. **Enabled**: Use this to ensure Immuta verifies that the server's certificate was issued by a trusted Certificate Authority (CA).
      2. **Disabled**: Use this setting if you are using a self-signed certificate to skip certificate validation for the connection.
5. Select the authentication method from the dropdown and enter the credentials of the [Trino user you created above](#create-the-system-account-user).
   1. **Username and Password**: Enter the username and password for the system account user.
   2. **OAuth 2.0 with Client Secret**:
      * Fill out the **Token Endpoint** with the full URL of the identity provider. This is where the generated token is sent.
      * Fill out the **Client ID**. This is a combination of letters, numbers, or symbols, used as a public identifier. This is the subject of the generated token.
      * Enter the **Scope** (string). The scope limits the operations allowed in Trino by the access token. See the [OAuth 2.0 documentation](https://oauth.net/2/scope/) for details about scopes.
      * Enter the **Client Secret**. Immuta uses this secret to authenticate with the authorization server when it requests a token.
   3. **OAuth 2.0 with Client Certificate**:
      1. Fill out the **Token Endpoint** with the full URL of the identity provider. This is where the generated token is sent.
      2. Fill out the **Client ID**. This is a combination of letters, numbers, or symbols, used as a public identifier. This is the subject of the generated token.
      3. Enter the **Scope** (string). The scope limits the operations allowed in Trino by the access token. See the [OAuth 2.0 documentation](https://oauth.net/2/scope/) for details about scopes.
      4. Opt to fill out the **Resource** field with a URI of the resource where the requested token will be used.
      5. Enter the **x509 Certificate Thumbprint**. This identifies the corresponding key to the token and is often abbreviated as `x5t` or is called `sub` (Subject).
      6. Upload the **Client Certificate**, which is used to sign the authorization request.
6. Click **Save connection**.
   1. If you are using **Starburst**, move on to the next step.
   2. If you are using open-source **Trino**, you must download the Immuta Trino plugin and add it to your Trino cluster.
      1. The Immuta Trino plugin version matches the version of [the corresponding Trino releases](#user-content-fn-2)[^2]. Navigate to the [Immuta GitHub repository](https://github.com/immuta/trino-artifacts/releases) for a list of supported Trino versions. Immuta follows [Starburst's release cycle](https://docs.starburst.io/latest/versions.html), but you can contact your Immuta representative for a specific Trino OSS release.
      2. Download the assets for the release that corresponds to your Trino version.
      3. Enable Immuta on your cluster:
         1. **Docker installations**
            1. Follow [Trino's documentation](https://trino.io/docs/current/installation/plugins.html#plugins-installation) to install the plugin archive on all nodes in your cluster.
            2. Create the Immuta access control configuration file in the Trino configuration directory: **`/etc/trino/immuta-access-control.properties`**.
         2. **Standalone installations**
            1. Follow [Trino's documentation](https://trino.io/docs/current/installation/plugins.html#plugins-installation) to install the plugin archive on all nodes in your cluster.
            2. Create the Immuta access control configuration file in the Trino configuration directory: **`<trino_install_directory>/etc/immuta-access-control.properties`**.
7. On the **Next Steps** page, copy the provided `immuta-access-control.properties` file. It is pre-populated with the required fields:
   1. `access-control.name`: Leave this as `immuta`.
   2. `immuta.endpoint`: This is your tenant URL. Use the value provided in the file.
   3. `immuta.apikey`: This is how Immuta applies policy to your users' queries. Use the value provided in the file.
   4. `immuta.user.admin`: This is your Trino system account user. To ensure tables can be properly ingested into Immuta, no Immuta policies will ever apply to this user. Use the value pre-populated in the file to match the username you initially used to create the connection.
8. Customize any other properties in the file. See the [Customize the Immuta Trino plugin page](/saas/configuration/integrations/starburst-trino/how-to-guides/register-a-trino-connection/customize-the-immuta-trino-plugin.md) for detailed descriptions of all the properties.
9. Once your file is customized, add it to your Trino cluster's `etc` folder.
10. Enable the Immuta access control plugin in your Trino cluster's **`config.properties`** file:

    <pre><code>access-control.config-files=/etc/<a data-footnote-ref href="#user-content-fn-3">trino</a>/immuta-access-control.properties
    </code></pre>
11. Ensure you have completed all the connection steps, and click **Finish**.

### Add Trino users to Immuta

1. [Configure your external IAM](/saas/configuration/people/section-contents/reference-guides/index.md) to add users to Immuta.
2. [Map their Trino usernames](/saas/configuration/people/users-index/how-to-guides/external-user-mapping.md) when configuring your IAM (or map usernames manually) to Immuta.
   * All Trino users must map to Immuta users or match the `immuta.user.admin` regex configured on the cluster, and their Trino username must be mapped to Immuta so they can query policy-enforced data.
   * A user impersonating a different user in Trino requires the `IMPERSONATE_USER` permission in Immuta. Both users must be mapped to an Immuta user, or the querying user must match the configured `immuta.user.admin` regex.

[^1]: Your display name cannot be any of the following words: `data`, `connection`, `object`, `crawl`, `search`, `settings`, `metadata`, `permission`, `sync`, `bulk`, and `upgrade`.

[^2]: For example, the Immuta plugin version supporting Trino version 403 is simply version `403`.

[^3]: If needed, update to `starburst`.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/saas/configuration/integrations/starburst-trino/how-to-guides/register-a-trino-connection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.