Skip to content

Configure External Location Access Check for Trino on EMR

External Location Access Policy Evaluation Order for Catalogs

Note

This Feature is enabled by default.

External Location access control for different catalog types follows a defined evaluation order across the configured Privacera policy repositories. Based on the catalog type (e.g., Hive or others), the plugin checks each repository in sequence, granting access based on the first applicable policy.

Catalog Access Check Order Notes
Hive
  • privacera_s3
  • privacera_files
  • privacera_hive
 The plugin first checks the privacera_s3 repository. If unavailable or no S3 policy allows access, it falls back to privacera_files. If access is still not granted, it finally checks privacera_hive.
Other Catalogs
  • privacera_s3
  • privacera_files
 The plugin first attempts to use privacera_s3. If unavailable or no S3 policy permits access, it checks privacera_files.
Note: The privacera_hive repository is not applicable to non-Hive catalogs.

Disable External Location Access Check

Disabling external location access check is not recommended

Disabling external location access check is not recommended. It may lead to security vulnerabilities.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to navigate to the /config directory.

    Bash
    1
    cd ~/privacera/privacera-manager/config

  3. Run the following command to open the .yml file to be edited.

    Bash
    1
    vi custom-vars/vars.emr.yml

  4. Uncomment and update the following property to disable file location authorization for Trino on EMR:

    YAML
    1
    EMR_TRINO_FILE_LOCATION_AUTHZ_ENABLED: "false"

  5. Once the property is configured, update your Privacera Manager platform instance by following the commands.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Note

  • The default value is "true" (enabled), which means file location authorization is enforced by default.
  • Setting this to "false" disables authorization checks for file locations (S3/ADLS/Files) in CREATE/ALTER TABLE/DATABASE statements with LOCATION clauses.
  • This property is applied during EMR cluster creation via the bootstrap action that installs the Trino plugin.
  • For existing clusters, you need to update the vars.emr.yml file and create a new cluster with the updated configuration.

Verification

After creating an EMR cluster with this configuration, you can verify the setting by:

  1. SSH into the EMR master node.
  2. Check the Trino configuration file:
    Bash
    1
    cat /usr/lib/trino/etc/access-control.properties | grep filelocation
  3. If disabled, you should see:
    Text Only
    1
    ranger.policy.authorization.filelocation.enabled=false
  4. If enabled (default), this property will not appear in the file (as it defaults to true).