Access management in Managed Service for Trino

Managed Service for Trino provides unified access to data from multiple sources, such as storage systems, databases, and external services. A single Managed Service for Trino cluster can serve multiple users and workloads. Access management in Managed Service for Trino enables you to:

• Segregate access to cluster objects for users and groups with different roles and tasks.
• Prevent unauthorized data operations.
• Prevent users from abusing system resources.

In Managed Service for Trino, you can manage access using access rules, which declaratively describe the allowed and prohibited operations on cluster objects for users and groups.

Rule structureRule structure

User access to Managed Service for Trino cluster objects results from a combination of these two types of rules:

• Top-level rules which control access to all objects in the catalog.
• Granular rules which control access to individual schemas, tables, functions, procedures, queries, session’s system properties, or catalog’s session properties.

Each access rule contains the following parameter groups:

• Subjects: Users or user groups the rule applies to.
• Objects: Managed Service for Trino cluster objects the rule applies to. These can be specified explicitly (e.g., a function with a given name) or implicitly (e.g., all functions of a given schema).
• Privileges: Actions users can perform on objects.
• Additional parameters: Other rule parameters, e.g., its description.

As soon as a user accesses an object, all rules for objects of that type get checked for matches. Rules are checked in their declaration order. The first rule matching the user-object pair applies.

For more information about access rule management in Managed Service for Trino, see this guide.

Managing rulesManaging rules

In Managed Service for Trino, access rules are managed resources within a cluster. Therefore, you can manage rules using the Yandex Cloud CLI, Terraform, and gRPC API. You can set access rules when creating a new cluster or updating an existing one.

To update access rules, you do not have to restart Managed Service for Trino cluster nodes.

Auto-updating of rulesAuto-updating of rules

Managed Service for Trino automatically updates access rules when you rename or delete catalogs:

• Catalog names and IDs get validated. If catalog name or ID contains an error, the rule will not be created.
• If you rename a catalog, its name will be automatically updated in all the rules that contain it.
• If you delete a catalog, its name and ID will be automatically deleted from all the rules that contain them. If you delete the only catalog specified in the rule, the rule itself will be automatically deleted.