10.6. System Access Control

Presto separates the concept of the principal who authenticates to thecoordinator from the username that is responsible for running queries. Whenrunning the Presto CLI, for example, the Presto username can be specified usingthe —user option.

By default, the Presto coordinator allows any principal to run queries as anyPresto user. In a secure environment, this is probably not desirable behaviorand likely requires customization.

Implementation

SystemAccessControlFactory is responsible for creating aSystemAccessControl instance. It also defines a SystemAccessControlname which is used by the administrator in a Presto configuration.

SystemAccessControl implementations have several responsibilities:

  • Verifying whether or not a given principal is authorized to execute queries as a specific user.
  • Determining whether or not a given user can alter values for a given system property.
  • Performing access checks across all catalogs. These access checks happen beforeany connector specific checks and thus can deny permissions that would otherwisebe allowed by ConnectorAccessControl.The implementation of SystemAccessControl and SystemAccessControlFactorymust be wrapped as a plugin and installed on the Presto cluster.

Configuration

After a plugin that implements SystemAccessControl andSystemAccessControlFactory has been installed on the coordinator, it isconfigured using an etc/access-control.properties file. All of the propertiesother than access-control.name are specific to the SystemAccessControlimplementation.

The access-control.name property is used by Presto to find a registeredSystemAccessControlFactory based on the name returned bySystemAccessControlFactory.getName(). The remaining properties are passedas a map to SystemAccessControlFactory.create().

Example configuration file:

  1. access-control.name=custom-access-control
  2. custom-property1=custom-value1
  3. custom-property2=custom-value2