System Access Control

Presto separates the concept of the principal who authenticates to the coordinator from the username that is responsible for running queries. When running the Presto CLI, for example, the Presto username can be specified using the --user option.

By default, the Presto coordinator allows any principal to run queries as any Presto user. In a secure environment, this is probably not desirable behavior and likely requires customization.

Implementation

SystemAccessControlFactory is responsible for creating a SystemAccessControl instance. It also defines a SystemAccessControl name which is used by the administrator in a Presto configuration.

SystemAccessControl implementations have several responsibilities:

  • Verifying whether or not a given principal is authorized to execute queries as a specific user.

  • Determining whether or not a given user can alter values for a given system property.

  • Performing access checks across all catalogs. These access checks happen before any connector specific checks and thus can deny permissions that would otherwise be allowed by ConnectorAccessControl.

The implementation of SystemAccessControl and SystemAccessControlFactory must be wrapped as a plugin and installed on the Presto cluster.

Row Filters and Column Masks

The access control implementation can optionally provide row filters and column masks to control viewing of specific rows or mask sensitive values in columns. The filters and masks are retrieved per table from the given Identity, schema, table, and column names. The returned filters and masks will be in the form of a ViewExpression that is then applied to the query plan before execution. Filters and masks can also be supplied at the connector level from a ConnectorAccessControl implementation.

Configuration

After a plugin that implements SystemAccessControl and SystemAccessControlFactory has been installed on the coordinator, it is configured using an etc/access-control.properties file. All of the properties other than access-control.name are specific to the SystemAccessControl implementation.

The access-control.name property is used by Presto to find a registered SystemAccessControlFactory based on the name returned by SystemAccessControlFactory.getName(). The remaining properties are passed as a map to SystemAccessControlFactory.create().

Example configuration file:

access-control.name=custom-access-control
custom-property1=custom-value1
custom-property2=custom-value2