Ranger authorization for Trino Virtual Warehouses
Authorization for Trino is supported through Apache Ranger by default and you can create or update Ranger policies for specific resources and assign permissions to Trino users, groups, or roles. When a user submits a query to Trino, the system verifies the defined policies to ensure that the user has the necessary permissions to run queries.
Authorization is the process that checks user permissions to perform select operations, such as creating, reading, and writing data, as well as editing table metadata.
- Resource-based authorization policies
- Resource-based column masking
- Row-level filtering
Trino authorization service (cm_trino)
Ranger authorization for all the Trino supported connectors is offered through the
cm_trino resource-based service.
For each resource specified in a Hive policy, an "allow" policy must also be configured in the
cm_trino service to enable successful access control verification. You must be
aware that there are two services where Hive authorization policies are defined and therefore
you will notice two sets of audit logs; one from the cm_trino service and
another from the HadoopSQL service (cm_hive). However, the
cm_trino service allows for more restrictive permission as compared to
HadoopSQL.
Access Request Audit
Audit log entries are created for requests, detailing the request information and the authorization outcome (allow or deny). These logs can be viewed through the Audits service in the Ranger Admin Web UI.
