Managing procedure access in Managed Service for Trino

Written by

Updated at June 15, 2026

Setting rules when creating a cluster
Setting rules for an existing cluster
Example of setting procedure access rules

Procedure access rules define the actions users can perform with custom procedures in a Managed Service for Trino cluster.

Note

You cannot set restrictions on running procedures invoked via the system schema, i.e., Trino system procedures.

For each user-procedure pair, the rules apply as follows:

Rules are checked in the order of their declaration. The first rule matching the user-procedure pair applies.
If none of the rules match the user-procedure pair, the user is denied all actions with the procedure.
If no procedure access rules are set, each user can run only system procedures.
Procedure access rules apply together with the top-level rules for objects in catalogs.

Setting rules when creating a cluster

You can set procedure access rules when creating a Managed Service for Trino cluster.

Warning

Procedure and schema names specified in the rules are not validated. If a procedure name or a schema name contains an error, the rule will not apply correctly.

Management console

CLI

Terraform

REST API

gRPC API

In the management console, select the folder where you want to create a Managed Service for Trino cluster.
Navigate to Managed Service for Trino.
Click Create cluster and set the cluster parameters.
Under Access settings, click .
In the Procedures field, click Add rule.
In the window that opens, set up the rule:
1. Optionally, provide a rule description in the Comment field.
2. Optionally, in the Users field, select the users the rule applies to:
  1. Click Add.
  2. Select the users from the list that opens. Use the search bar above the list to find particular users.
  3. To deselect a user selected by mistake, click that user again in the list.
  If no user is selected, the rule applies to all users.
3. Optionally, in the Groups field, select the user groups the rule applies to:
  1. Click Add.
  2. From the list that opens, select the groups. Use the search bar above the list to find particular groups.
  3. To delete a group selected by mistake, click it again in the list.
  If you select no groups, the rule applies to all user groups.
4. Optionally, select EXECUTE in the Privileges field to enable calling the procedure. If you do not select any privileges, the rule will prohibit any actions with the procedures.
5. Optionally, specify full names of the procedures the rule will apply to, formatted as <catalog_name>.<schema_name>.<procedure_name>. Use a separate field for each part of the name.
  1. Select format for the catalogs:
    - Name: Select catalog names. You can only select catalogs added in Catalogs.
    - Name (regular expression): Enter a regular expression for catalog names.
    - Not specified: The <catalog_name> field may contain any value.
  2. Select format for the schemas:
    - Name: Select schema names.
    - Name (regular expression): Enter a regular expression for schema names.
    - Not specified: The <schema_name> field may contain any value.
  3. Select format for the procedures:
    - Name: Select procedure names.
    - Name (regular expression): Enter a regular expression for procedure names.
    - Not specified: The <procedure_name> field may contain any value.
Add other rules in the same way as needed.
To delete a rule added by mistake, click in the line with this rule.
Click Create.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

To set procedure access rules:

Create a file named access_control.yaml and paste the following code into it:
```
procedures:
  # Rule 1
  - privileges: [<list_of_privileges>]
    catalog:
      name_regexp: <regular_expression>
    schema:
      names:
        any: [<list_of_schema_names>]
      name_regexp: <regular_expression>
    procedure:
      names:
        any: [<list_of_procedure_names>]
      name_regexp: <regular_expression>
    groups: [<list_of_group_IDs>]
    users: [<list_of_user_IDs>]
    description: <rule_description>
  # Rule 2
  - <Rule_2_parameters>
  ...
  # Rule N
  - <Rule_N_parameters>
```
Where:
- procedures: List of procedure rules. All the rule parameters are optional: privileges, catalog, schema, procedure, groups, users, and description.
- privileges: Permitted actions with procedures:
  - EXECUTE: Allows calling the procedure.
  If you do not specify the privileges parameter, the rule will prohibit any actions with the procedures.
- Combined, catalog, schema, and procedure define the procedures the rule will apply to. Each of them is optional.
  - catalog: Catalogs set using the name_regexp parameter (regular expression for catalog names).
    
    Omitting the catalog section is equivalent to using the .* regular expression.
  - schema: Schemas specified by one of the following:
    - names: List of schema names.
    - Name (regular expression): Regular expression for schema names.
    Omitting the schema section is equivalent to using the .* regular expression.
  - procedure: Procedures specified by one of the following:
    - names: List of procedure names.
    - name_regexp: Regular expression for procedure names.
    Omitting the procedure section is equivalent to using the .* regular expression.
  Note
  
  In Managed Service for Trino, full procedure name follows this template: <catalog_name>.<schema_name>.<procedure_name>. The rule applies to a procedure only if its full name is consistent with all the specified parameters.
- The users and groups parameters define users the rule applies to.
  - users: List of user IDs. The rule will only apply to the specified users.
  - groups: List of group IDs. The rule will only apply to users who belong to at least one of these groups.
  You can specify either one or both parameters. If you specify both, the rule will apply to all users from the users parameter who also belong to at least one group listed under groups. If neither parameter is provided, the rule will apply to all users.
- description: Rule description.
View the description of the CLI command for creating a cluster:
```
yc managed-trino cluster create --help
```

Run this command:

yc managed-trino cluster create \
  ...
  --access-control-from-file access_control.yaml

For available cluster parameters and their descriptions, see this guide.

Create a Terraform configuration file describing your infrastructure.
Add the yandex_trino_access_control resource with the procedures rule list to the configuration file.
```
resource "yandex_trino_cluster" "<cluster_name>" {
  ...
}

resource "yandex_trino_catalog" "<catalog_1_name>" {
  ...
}

resource "yandex_trino_catalog" "<catalog_2_name>" {
  ...
}

...

resource "yandex_trino_catalog" "<catalog_N_name>" {
  ...
}

resource "yandex_trino_access_control" "trino_access_control" {
  ...
  cluster_id  = yandex_trino_cluster.<cluster_name>.id
  procedures = [
    # Rule 1
    {
      privileges    = ["<list_of_privileges>"]
      catalog       = {
        ids         = [
          yandex_trino_catalog.<catalog_1_name>.id,
          yandex_trino_catalog.<catalog_2_name>.id,
          ... 
          yandex_trino_catalog.<catalog_N_name>.id
        ]
        name_regexp = "<regular_expression>"
      }
      schema        = {
        names       = ["<list_of_schema_names>"]
        name_regexp = "<regular_expression>"
      }
      procedure     = {
        names       = ["<list_of_procedure_names>"]
        name_regexp = "<regular_expression>"
      }
      users         = ["<list_of_user_IDs>"]
      groups        = ["<list_of_group_IDs>"]
      description   = "<rule_description>"
    },
    # Rule 2
    {
      ... 
    },
    ...
    # Rule N
    {
      ... 
    }
  ]
  ...
}
```
Where:
- procedures: List of rule sections for procedures. All the rule parameters are optional: privileges, catalog, schema, procedure, groups, users, and description.
- privileges: Permitted actions with procedures:
  - EXECUTE: Allows calling the procedure.
  If you do not specify the privileges parameter, the rule will prohibit any actions with the procedures.
- Combined, catalog, schema, and procedure define the procedures the rule will apply to. Each of them is optional.
  - catalog: Catalogs specified by one of the following:
    - ids: List of catalog IDs. These catalogs must be created in the same manifest.
    - name_regexp: Regular expression for catalog names.
    Omitting the catalog section is equivalent to using the .* regular expression.
  - schema: Schemas specified by one of the following:
    - names: List of schema names.
    - Name (regular expression): Regular expression for schema names.
    Omitting the schema section is equivalent to using the .* regular expression.
  - procedure: Procedures specified by one of the following:
    - names: List of procedure names.
    - name_regexp: Regular expression for procedure names.
    Omitting the procedure section is equivalent to using the .* regular expression.
  Note
  
  In Managed Service for Trino, full procedure name follows this template: <catalog_name>.<schema_name>.<procedure_name>. The rule applies to a procedure only if its full name is consistent with all the specified parameters.
- The users and groups parameters define users the rule applies to.
  - users: List of user IDs. The rule will only apply to the specified users.
  - groups: List of group IDs. The rule will only apply to users who belong to at least one of these groups.
  You can specify either one or both parameters. If you specify both, the rule will apply to all users from the users parameter who also belong to at least one group listed under groups. If neither parameter is provided, the rule will apply to all users.
- description: Rule description.
Make sure the settings are correct.
1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
2. Run this command:
```
terraform validate
```
  Terraform will show any errors found in your configuration files.
Confirm updating the resources.
1. Run this command to view the planned changes:
```
terraform plan
```
  If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
2. If everything looks correct, apply the changes:
  1. Run this command:
```
terraform apply
```
  2. Confirm updating the resources.
  3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Create a file named body.json and paste the following code into it:
```
{
  <cluster_parameters>
  ...
  "trino": {
    "catalogs": [
      {
        "name": "catalog_1_name",
        ...
      },
      {
        "name": "catalog_2_name",
        ...
      },
      ...
      {
        "name": "catalog_N_name",
        ...
      }
    ]
    ...
    "accessControl": {
      "procedures": [
        {
          "privileges": [
            "<list_of_privileges>"
          ],
          "catalog": {
            "names": {
              "any": [
                "<catalog_1_name>",
                "<catalog_2_name>",
                ...
                "<catalog_N_name>"
              ]
            },
            "nameRegexp": "<regular_expression>"
          },
          "schema": {
            "names": {
              "any": [
                "<list_of_schema_names>"
              ]
            },
            "nameRegexp": "<regular_expression>"
          },
          "procedure": {
            "names": {
              "any": [
                "<list_of_procedure_names>"
              ]
            },
            "nameRegexp": "<regular_expression>"
          },
          "users": [
            "<list_of_user_IDs>"
          ],
          "groups": [
            "<list_of_group_IDs>"
          ],
          "description": "<rule_description>"
        },
        {
          <Rule_2_section>
        },
        ...
        {
          <Rule_N_section>
        }
      ]
    }
  }
}
```
Where:
- accessControl: Access rule configuration in the cluster.
- procedures: List of rule sections for procedures. All the rule parameters are optional: privileges, catalog, schema, procedure, groups, users, and description.
- privileges: Permitted actions with procedures:
  - EXECUTE: Allows calling the procedure.
  If you do not specify the privileges parameter, the rule will prohibit any actions with the procedures.
- Combined, catalog, schema, and procedure define the procedures the rule will apply to. Each of them is optional.
  - catalog: Catalogs specified by one of the following:
    - names: List of catalog names. You must create catalogs within the same Cluster.Create call.
    - nameRegexp: Regular expression for catalog names.
    Omitting the catalog section is equivalent to using the .* regular expression.
  - schema: Schemas specified by one of the following:
    - names: List of schema names.
    - nameRegexp: Regular expression for schema names.
    Omitting the schema section is equivalent to using the .* regular expression.
  - procedure: Procedures specified by one of the following:
    - names: List of procedure names.
    - nameRegexp: Regular expression for procedure names.
    Omitting the procedure section is equivalent to using the .* regular expression.
  Note
  
  In Managed Service for Trino, full procedure name follows this template: <catalog_name>.<schema_name>.<procedure_name>. The rule applies to a procedure only if its full name is consistent with all the specified parameters.
- The users and groups parameters define users the rule applies to.
  - users: List of user IDs. The rule will only apply to the specified users.
  - groups: List of group IDs. The rule will only apply to users who belong to at least one of these groups.
  You can specify either one or both parameters. If you specify both, the rule will apply to all users from the users parameter who also belong to at least one group listed under groups. If neither parameter is provided, the rule will apply to all users.
- description: Rule description.
For available cluster parameters and their descriptions, see this guide.

Call the Cluster.Create method, e.g., via the following cURL request:

curl \
    --request POST \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --url 'https://trino.api.cloud.yandex.net/managed-trino/v1/clusters'
    --data '@body.json'

View the server response to make sure your request was successful.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Clone the cloudapi repository:
```
cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
```
Below, we assume that the repository contents reside in the ~/cloudapi/ directory.
Create a file named body.json and paste the following code into it:
```
{
  <cluster_parameters>
  ...
  "trino": {
    "catalogs": [
      {
        "name": "catalog_1_name",
        ...
      },
      {
        "name": "catalog_2_name",
        ...
      },
      ...
      {
        "name": "catalog_N_name",
        ...
      }
    ]
    ...
    "access_control": {
      "procedures": [
        {
          "privileges": [
            "<list_of_privileges>"
          ],
          "catalog": {
            "names": {
              "any": [
                "<catalog_1_name>",
                "<catalog_2_name>",
                ...
                "<catalog_N_name>"
              ]
            },
            "name_regexp": "<regular_expression>"
          },
          "schema": {
            "names": {
              "any": [
                "<list_of_schema_names>"
              ]
            },
            "name_regexp": "<regular_expression>"
          },
          "procedure": {
            "names": {
              "any": [
                "<list_of_procedure_names>"
              ]
            },
            "name_regexp": "<regular_expression>"
          },
          "users": [
            "<list_of_user_IDs>"
          ],
          "groups": [
            "<list_of_group_IDs>"
          ],
          "description": "<rule_description>"
        },
        {
          <Rule_2_section>
        },
        ...
        {
          <Rule_N_section>
        }
      ]
    }
  }
}
```
Where:
- access_control: Access rule configuration in the cluster.
- procedures: List of rule sections for procedures. All the rule parameters are optional: privileges, catalog, schema, procedure, groups, users, and description.
- privileges: Permitted actions with procedures:
  - EXECUTE: Allows calling the procedure.
  If you do not specify the privileges parameter, the rule will prohibit any actions with the procedures.
- Combined, catalog, schema, and procedure define the procedures the rule will apply to. Each of them is optional.
  - catalog: Catalogs specified by one of the following:
    - names: List of catalog names. You must create catalogs within the same ClusterService/Create call.
    - name_regexp: Regular expression for catalog names.
    Omitting the catalog section is equivalent to using the .* regular expression.
  - schema: Schemas specified by one of the following:
    - names: List of schema names.
    - Name (regular expression): Regular expression for schema names.
    Omitting the schema section is equivalent to using the .* regular expression.
  - procedure: Procedures specified by one of the following:
    - names: List of procedure names.
    - name_regexp: Regular expression for procedure names.
    Omitting the procedure section is equivalent to using the .* regular expression.
  Note
  
  In Managed Service for Trino, full procedure name follows this template: <catalog_name>.<schema_name>.<procedure_name>. The rule applies to a procedure only if its full name is consistent with all the specified parameters.
- The users and groups parameters define users the rule applies to.
  - users: List of user IDs. The rule will only apply to the specified users.
  - groups: List of group IDs. The rule will only apply to users who belong to at least one of these groups.
  You can specify either one or both parameters. If you specify both, the rule will apply to all users from the users parameter who also belong to at least one group listed under groups. If neither parameter is provided, the rule will apply to all users.
- description: Rule description.
For available cluster parameters and their descriptions, see this guide.

Call the ClusterService/Create method, e.g., via the following gRPCurl request:

grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/trino/v1/cluster_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d @ \
    trino.api.cloud.yandex.net:443 \
    yandex.cloud.trino.v1.ClusterService.Create \
    < body.json

Check the server response to make sure your request was successful.

Setting rules for an existing cluster

You can set or update procedure access rules for an existing Managed Service for Trino cluster.

Warning

Procedure and schema names specified in the rules are not validated. If a procedure name or a schema name contains an error, the rule will not apply correctly.

Management console

CLI

Terraform

REST API

gRPC API

In the management console, navigate to the relevant folder.
Navigate to Managed Service for Trino.
Click the cluster name.
Go to Access settings → Procedures.
To add a rule, click Add rule. In the window that opens, set up the rule:
1. Optionally, provide a rule description in the Comment field.
2. Optionally, in the Users field, select the users the rule applies to:
  1. Click Add.
  2. Select the users from the list that opens. Use the search bar above the list to find particular users.
  3. To deselect a user selected by mistake, click that user again in the list.
  If no user is selected, the rule applies to all users.
3. Optionally, in the Groups field, select the user groups the rule applies to:
  1. Click Add.
  2. From the list that opens, select the groups. Use the search bar above the list to find particular groups.
  3. To delete a group selected by mistake, click it again in the list.
  If you select no groups, the rule applies to all user groups.
4. Optionally, select EXECUTE in the Privileges field to enable calling the procedure. If you do not select any privileges, the rule will prohibit any actions with the procedures.
5. Optionally, specify full names of the procedures the rule will apply to, formatted as <catalog_name>.<schema_name>.<procedure_name>. Use a separate field for each part of the name.
  1. Select format for the catalogs:
    - ID: Select catalog IDs. You can only select catalogs from those present in the cluster.
    - Name: Select catalog names. You can only select catalogs existing in the cluster.
    - Name (regular expression): Enter a regular expression for catalog names.
    - Not specified: The <catalog> field may contain any value.
  2. Select format for the schemas:
    - Name: Select schema names.
    - Name (regular expression): Enter a regular expression for schema names.
    - Not specified: The <schema_name> field may contain any value.
  3. Select format for the procedures:
    - Name: Select procedure names.
    - Name (regular expression): Enter a regular expression for procedure names.
    - Not specified: The <procedure_name> field may contain any value.
Add other rules in the same way as needed.
To edit a rule:
1. Click in the line with this rule.
2. Update the rule settings and click Update.
To delete a rule you no longer need, сlick in the line with this rule.
Click Save changes.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

To set procedure access rules:

If you have not set any access rules yet, create a file named access_control.yaml and paste the following into it:
```
procedures:
  # Rule 1
  - privileges: [<list_of_privileges>]
    catalog:
      ids:
        any: [<list_of_catalog_IDs>]
      names:
        any: [<list_of_catalog_names>]
      name_regexp: <regular_expression>
    schema:
      names:
        any: [<list_of_schema_names>]
      name_regexp: <regular_expression>
    procedure:
      names:
        any: [<list_of_procedure_names>]
      name_regexp: <regular_expression>
    groups: [<list_of_group_IDs>]
    users: [<list_of_user_IDs>]
    description: <rule_description>
  # Rule 2
  - <Rule_2_parameters>
  ...
  # Rule N
  - <Rule_N_parameters>
```
Where:
- procedures: List of procedure rules. All the rule parameters are optional: privileges, catalog, schema, procedure, groups, users, and description.
- privileges: Permitted actions with procedures:
  - EXECUTE: Allows calling the procedure.
  If you do not specify the privileges parameter, the rule will prohibit any actions with the procedures.
- Combined, catalog, schema, and procedure define the procedures the rule will apply to. Each of them is optional.
  - ids: List of catalog IDs. These must be the existing catalogs.
  - names: List of catalog names. These must be the existing catalogs.
  - name_regexp: Regular expression for catalog names.
    
    Omitting the catalog section is equivalent to using the .* regular expression.
  - schema: Schemas specified by one of the following:
    - names: List of schema names.
    - Name (regular expression): Regular expression for schema names.
    Omitting the schema section is equivalent to using the .* regular expression.
  - procedure: Procedures specified by one of the following:
    - names: List of procedure names.
    - name_regexp: Regular expression for procedure names.
    Omitting the procedure section is equivalent to using the .* regular expression.
  Note
  
  In Managed Service for Trino, full procedure name follows this template: <catalog_name>.<schema_name>.<procedure_name>. The rule applies to a procedure only if its full name is consistent with all the specified parameters.
- The users and groups parameters define users the rule applies to.
  - users: List of user IDs. The rule will only apply to the specified users.
  - groups: List of group IDs. The rule will only apply to users who belong to at least one of these groups.
  You can specify either one or both parameters. If you specify both, the rule will apply to all users from the users parameter who also belong to at least one group listed under groups. If neither parameter is provided, the rule will apply to all users.
- description: Rule description.
If you have already set the access rules, open access_control.yaml and edit it as needed. You can:
- Add new rules.
- Update the existing ones.
- Delete the rules you no longer need.

Run this command:

yc managed-trino cluster set-access-control <cluster_name_or_ID> \
  --from-file access_control.yaml

You can get the cluster ID and name with the list of clusters in the folder.

Open the current Terraform configuration file describing your infrastructure.

For more on how to create this file, see Creating a cluster.
If you have not set any access rules yet, add the yandex_trino_access_control resource containing the procedures rule list.
```
resource "yandex_trino_cluster" "<cluster_name>" {
  ...
}

resource "yandex_trino_catalog" "<catalog_1_name>" {
  ...
}

resource "yandex_trino_catalog" "<catalog_2_name>" {
  ...
}

...

resource "yandex_trino_catalog" "<catalog_N_name>" {
  ...
}

resource "yandex_trino_access_control" "trino_access_control" {
  ...
  cluster_id  = yandex_trino_cluster.<cluster_name>.id
  procedures = [
    # Rule 1
    {
      privileges    = ["<list_of_privileges>"]
      catalog       = {
        ids         = [
          yandex_trino_catalog.<catalog_1_name>.id,
          yandex_trino_catalog.<catalog_2_name>.id,
          ... 
          yandex_trino_catalog.<catalog_N_name>.id
        ]
        name_regexp = "<regular_expression>"
      }
      schema        = {
        names       = ["<list_of_schema_names>"]
        name_regexp = "<regular_expression>"
      }
      procedure     = {
        names       = ["<list_of_procedure_names>"]
        name_regexp = "<regular_expression>"
      }
      users         = ["<list_of_user_IDs>"]
      groups        = ["<list_of_group_IDs>"]
      description   = "<rule_description>"
    },
    # Rule 2
    {
      ... 
    },
    ...
    # Rule N
    {
      ... 
    }
  ]
  ...
}
```
Where:
- procedures: List of rule sections for procedures. All the rule parameters are optional: privileges, catalog, schema, procedure, groups, users, and description.
- privileges: Permitted actions with procedures:
  - EXECUTE: Allows calling the procedure.
  If you do not specify the privileges parameter, the rule will prohibit any actions with the procedures.
- Combined, catalog, schema, and procedure define the procedures the rule will apply to. Each of them is optional.
  - catalog: Catalogs specified by one of the following:
    - ids: List of catalog IDs. These must exist or be created in the same manifest.
    - name_regexp: Regular expression for catalog names.
    Omitting the catalog section is equivalent to using the .* regular expression.
  - schema: Schemas specified by one of the following:
    - names: List of schema names.
    - Name (regular expression): Regular expression for schema names.
    Omitting the schema section is equivalent to using the .* regular expression.
  - procedure: Procedures specified by one of the following:
    - names: List of procedure names.
    - name_regexp: Regular expression for procedure names.
    Omitting the procedure section is equivalent to using the .* regular expression.
  Note
  
  In Managed Service for Trino, full procedure name follows this template: <catalog_name>.<schema_name>.<procedure_name>. The rule applies to a procedure only if its full name is consistent with all the specified parameters.
- The users and groups parameters define users the rule applies to.
  - users: List of user IDs. The rule will only apply to the specified users.
  - groups: List of group IDs. The rule will only apply to users who belong to at least one of these groups.
  You can specify either one or both parameters. If you specify both, the rule will apply to all users from the users parameter who also belong to at least one group listed under groups. If neither parameter is provided, the rule will apply to all users.
- description: Rule description.
If you have already set the access rules, edit the yandex_trino_access_control resource description. You can:
- Add new rules.
- Update the existing ones.
- Delete the rules you no longer need.
Make sure the settings are correct.
1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
2. Run this command:
```
terraform validate
```
  Terraform will show any errors found in your configuration files.
Confirm updating the resources.
1. Run this command to view the planned changes:
```
terraform plan
```
  If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
2. If everything looks correct, apply the changes:
  1. Run this command:
```
terraform apply
```
  2. Confirm updating the resources.
  3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
If you have not set any access rules yet, create a file named body.json and paste the following code into it:
```
{
  "updateMask": "trino.accessControl.procedures",
  "trino": {
    "accessControl": {
      "procedures": [
        {
          "privileges": [
            "<list_of_privileges>"
          ],
          "catalog": {
            "ids": {
              "any": [
                "<list_of_catalog_IDs>"
              ]
            },
            "names": {
              "any": [
                "<list_of_catalog_names>"
              ]
            },
            "nameRegexp": "<regular_expression>"
          },
          "schema": {
            "names": {
              "any": [
                "<list_of_schema_names>"
              ]
            },
            "nameRegexp": "<regular_expression>"
          },
          "procedure": {
            "names": {
              "any": [
                "<list_of_procedure_names>"
              ]
            },
            "nameRegexp": "<regular_expression>"
          },
          "users": [
            "<list_of_user_IDs>"
          ],
          "groups": [
            "<list_of_group_IDs>"
          ],
          "description": "<rule_description>"
        },
        {
          <Rule_2_section>
        },
        ...
        {
          <Rule_N_section>
        }
      ]
    }
  }
}
```
Where:
- updateMask: Comma-separated list of parameters to update.
  
  Warning
  
  When you update a cluster, all parameters of the object you are modifying will be reset to their defaults unless explicitly provided in the request. To avoid this, list the settings you want to change in the updateMask parameter.
- accessControl: Access rule configuration in the cluster.
- procedures: List of rule sections for procedures. All the rule parameters are optional: privileges, catalog, schema, procedure, groups, users, and description.
- privileges: Permitted actions with procedures:
  - EXECUTE: Allows calling the procedure.
  If you do not specify the privileges parameter, the rule will prohibit any actions with the procedures.
- Combined, catalog, schema, and procedure define the procedures the rule will apply to. Each of them is optional.
  - catalog: Catalogs specified by one of the following:
    - ids: List of catalog IDs. These must be the existing catalogs.
    - names: List of catalog names. These must be the existing catalogs.
    - nameRegexp: Regular expression for catalog names.
    Omitting the catalog section is equivalent to using the .* regular expression.
  - schema: Schemas specified by one of the following:
    - names: List of schema names.
    - nameRegexp: Regular expression for schema names.
    Omitting the schema section is equivalent to using the .* regular expression.
  - procedure: Procedures specified by one of the following:
    - names: List of procedure names.
    - nameRegexp: Regular expression for procedure names.
    Omitting the procedure section is equivalent to using the .* regular expression.
  Note
  
  In Managed Service for Trino, full procedure name follows this template: <catalog_name>.<schema_name>.<procedure_name>. The rule applies to a procedure only if its full name is consistent with all the specified parameters.
- The users and groups parameters define users the rule applies to.
  - users: List of user IDs. The rule will only apply to the specified users.
  - groups: List of group IDs. The rule will only apply to users who belong to at least one of these groups.
  You can specify either one or both parameters. If you specify both, the rule will apply to all users from the users parameter who also belong to at least one group listed under groups. If neither parameter is provided, the rule will apply to all users.
- description: Rule description.
If you have already set the access rules, open the existing body.json rules file and edit it as needed. You can:
- Add new rules.
- Update the existing ones.
- Delete the rules you no longer need.

Call the Cluster.Update method, e.g., via the following cURL request:

curl \
  --request PATCH \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://trino.api.cloud.yandex.net/managed-trino/v1/clusters/<cluster_ID>'
  --data '@body.json'

You can get the cluster ID with the list of clusters in the folder.

Check the server response to make sure your request was successful.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Clone the cloudapi repository:
```
cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
```
Below, we assume that the repository contents reside in the ~/cloudapi/ directory.
If you have not set any access rules yet, create a file named body.json and paste the following code into it:
```
{
  "cluster_id": "<cluster_ID>",
  "update_mask": {
    "paths": [
      "trino.access_control.procedures"
    ]
  },
  "trino": {
    "access_control": {
      "procedures": [
        {
          "privileges": [
            "<list_of_privileges>"
          ],
          "catalog": {
            "ids": {
              "any": [
                "<list_of_catalog_IDs>"
              ]
            },
            "names": {
              "any": [
                "<list_of_catalog_names>"
              ]
            },
            "name_regexp": "<regular_expression>"
          },
          "schema": {
            "names": {
              "any": [
                "<list_of_schema_names>"
              ]
            },
            "name_regexp": "<regular_expression>"
          },
          "procedure": {
            "names": {
              "any": [
                "<list_of_procedure_names>"
              ]
            },
            "name_regexp": "<regular_expression>"
          },
          "users": [
            "<list_of_user_IDs>"
          ],
          "groups": [
            "<list_of_group_IDs>"
          ],
          "description": "<rule_description>"
        },
        {
          <Rule_2_section>
        },
        ...
        {
          <Rule_N_section>
        }
      ]
    }
  }
}
```
Where:
- cluster_id: Cluster ID.
  
  You can get the cluster ID with the list of clusters in the folder.
- update_mask: List of parameters to update as an array of strings (paths[]).
  Format for listing settings
  "update_mask": { "paths": [ "<setting_1>", "<setting_2>", ... "<setting_N>" ] }
  Warning
  
  When you update a cluster, all parameters of the object you are modifying will be reset to their defaults unless explicitly provided in the request. To avoid this, list the settings you want to change in the update_mask parameter.
- access_control: Access rule configuration in the cluster.
- procedures: List of rule sections for procedures. All the rule parameters are optional: privileges, catalog, schema, procedure, groups, users, and description.
- privileges: Permitted actions with procedures:
  - EXECUTE: Allows calling the procedure.
  If you do not specify the privileges parameter, the rule will prohibit any actions with the procedures.
- Combined, catalog, schema, and procedure define the procedures the rule will apply to. Each of them is optional.
  - catalog: Catalogs specified by one of the following:
    - ids: List of catalog IDs. These must be the existing catalogs.
    - names: List of catalog names. These must be the existing catalogs.
    - name_regexp: Regular expression for catalog names.
    Omitting the catalog section is equivalent to using the .* regular expression.
  - schema: Schemas specified by one of the following:
    - names: List of schema names.
    - Name (regular expression): Regular expression for schema names.
    Omitting the schema section is equivalent to using the .* regular expression.
  - procedure: Procedures specified by one of the following:
    - names: List of procedure names.
    - name_regexp: Regular expression for procedure names.
    Omitting the procedure section is equivalent to using the .* regular expression.
  Note
  
  In Managed Service for Trino, full procedure name follows this template: <catalog_name>.<schema_name>.<procedure_name>. The rule applies to a procedure only if its full name is consistent with all the specified parameters.
- The users and groups parameters define users the rule applies to.
  - users: List of user IDs. The rule will only apply to the specified users.
  - groups: List of group IDs. The rule will only apply to users who belong to at least one of these groups.
  You can specify either one or both parameters. If you specify both, the rule will apply to all users from the users parameter who also belong to at least one group listed under groups. If neither parameter is provided, the rule will apply to all users.
- description: Rule description.
If you have already set the access rules, open the existing body.json rules file and edit it as needed. You can:
- Add new rules.
- Update the existing ones.
- Delete the rules you no longer need.

Call the ClusterService.Update method, e.g., via the following gRPCurl request:

grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/trino/v1/cluster_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d @ \
  trino.api.cloud.yandex.net:443 \
  yandex.cloud.trino.v1.ClusterService.Update \
  < body.json

Check the server response to make sure your request was successful.

Example of setting procedure access rules

Let's configure access rules for custom procedures in a Trino cluster:

Prohibit any actions with procedures to the user with the banned_user_id.
Allow users in the group with the admins_group_id to call procedures.
Prohibit any actions with procedures to all other users.

CLI

Terraform

REST API

gRPC API

The access_control.yaml file for this rule set is as follows:

procedures:
  - users:
      - banned_user_id

  - groups:
      - admins_group_id
    privileges:
      - EXECUTE

The configuration file for this rule set is as follows:

resource "yandex_trino_access_control" "trino_access_control" {
  ...
  cluster_id  = <cluster_ID>
  procedures = [
    {
      users         = ["banned_user_id"]
    },
    {
      groups        = ["admins_group_id"]
      privileges    = ["EXECUTE"]
    },
  ]
  ...
}

The body.json file for this rule set is as follows:

{
  "updateMask": "trino.accessControl.procedures",
  "trino": {
    "accessControl": {
      "procedures": [
        {
          "users": [
            "banned_user_id"
          ]
        },
        {
          "groups": [
            "admins_group_id"
          ],
          "privileges": [
            "EXECUTE"
          ]
        }
      ]
    }
  }
}

The body.json file for this rule set is as follows:

{
  "cluster_id": "<cluster_ID>",
  "update_mask": {
    "paths": [
      "trino.access_control.procedures"
    ]
  },
  "trino": {
    "access_control": {
      "procedures": [
        {
          "users": [
            "banned_user_id"
          ]
        },
        {
          "groups": [
            "admins_group_id"
          ],
          "privileges": [
            "EXECUTE"
          ]
        }
      ]
    }
  }
}

Managing procedure access in Managed Service for Trino

Setting rules when creating a clusterSetting rules when creating a cluster

Setting rules for an existing clusterSetting rules for an existing cluster

Example of setting procedure access rulesExample of setting procedure access rules

Was the article helpful?

Setting rules when creating a cluster

Setting rules for an existing cluster

Example of setting procedure access rules