System access control#
A system access control enforces authorization at a global level, before any connector level authorization. You can use one of the built-in implementations in Trino, or provide your own by following the guidelines in System access control.
To use a system access control, add an etc/access-control.properties
file
with the following content and the desired system access control name on all
cluster nodes:
access-control.name=allow-all
Multiple system access control implementations may be configured at once
using the access-control.config-files
configuration property. It should
contain a comma separated list of the access control property files to use
(rather than the default etc/access-control.properties
).
Trino offers the following built-in system access control implementations:
Name |
Description |
---|---|
|
All operations are permitted, except for user impersonation and triggering Graceful shutdown. This is the default access control if none are configured. |
|
All operations are permitted. |
|
Operations that read data or metadata are permitted, but none of the operations that write data or metadata are allowed. |
|
Authorization rules are specified in a config file. See File-based access control. |
|
Use Open Policy Agent (OPA) for authorization. See Open Policy Agent access control. |
If you want to limit access on a system level in any other way than the ones listed above, you must implement a custom System access control.
Access control must be configured on the coordinator. Authorization for operations on specific worker nodes, such a triggering Graceful shutdown, must also be configured on all workers.
Read only system access control#
This access control allows any operation that reads data or
metadata, such as SELECT
or SHOW
. Setting system level or catalog level
session properties is also permitted. However, any operation that writes data or
metadata, such as CREATE
, INSERT
or DELETE
, is prohibited.
To use this access control, add an etc/access-control.properties
file with the following contents:
access-control.name=read-only