cm_trino service user impersonation behavior

The Ranger Trino authorization service (cm_trino) is configured with a default security posture that is too permissive. Learn how you can review and reinforce these settings to prevent unauthorized user impersonation.

By default, the Ranger configuration parameter, ranger.default.policy.groups is populated with a specific administrative group (_c_ranger_admins_….). As a result, the default Ranger policy, "all - trinouser" allows all users within this administrative group to impersonate any other user.

In Production environments, it is recommended that you apply one of the following recommendations to avoid a relaxed security posture and restrict user impersonation:

Service-level impersonation

Only specific technical service users (typically prefixed with srv_) require the ability to act on behalf of any user. You can modify the "all - trinouser" Ranger policy to include only these specific users or groups.

User self-impersonation

Trino requires an explicit policy to allow an authenticated user to act on their own behalf. Therefore, you can create a self-impersonation policy in the Ranger Trino service and allow the impersonate permissions under the "Allow Conditions" for the Trino user, "{USER}". This ensures that a user can only impersonate themselves.