Skip to content

Configure Deny Policy Dominance for Trino on EMR

Overview

By default, when Apache Ranger evaluates policies for operations that use the _any access type (for example, SHOW TABLES, SHOW SCHEMAS), an allow policy takes precedence over a deny policy for the same resource.

This feature reverses that behavior — when enabled, an explicit deny policy overrides any matching allow policy. This is useful when you want to enforce fine-grained exclusions within a broadly permitted resource scope, such as hiding specific tables inside a schema that is otherwise fully accessible.

Default behavior

This feature is disabled by default. Allow policies dominate deny policies unless explicitly configured.

How It Works

Consider a Hive schema with the following Ranger policies:

Policy Type Scope
Policy 1 Allow All tables in the schema
Policy 2 Deny A subset of tables in the same schema

The outcome of a SHOW TABLES query depends on the deny.dominates.in.any setting:

Setting Outcome
"false" (default — allow dominates) All tables are listed, including those covered by the deny policy
"true" (deny dominates) All tables are listed except those explicitly denied in Policy 2

Configure the Setting

  1. SSH to the instance where Privacera Manager is installed.

  2. Navigate to the Privacera Manager configuration directory:

    Bash
    1
    cd ~/privacera/privacera-manager/config

  3. Open the EMR variables file for editing:

    Bash
    1
    vi custom-vars/vars.emr.yml

  4. Uncomment and set the following property:

    YAML
    1
    EMR_TRINO_RANGER_PLUGIN_OPTION_DENY_DOMINATES_IN_ANY: "true"

    Note

    • Set to "true" to enable deny-dominates behavior: an explicit deny policy takes precedence over an allow policy for access types set to _any (for example, SHOW TABLES).
    • Set to "false" (default) to retain allow-dominates behavior.

  5. Apply the configuration by running the Privacera Manager post-install commands:

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

To enable deny policy dominance for Trino on EMR, set EMR_TRINO_RANGER_PLUGIN_OPTION_DENY_DOMINATES_IN_ANY to true in the EMR bootstrap actions.

  1. Update the BootstrapActions configuration in the EMR template as shown below. Then, create a new EMR cluster with this template:

    privacera-emr-bootstrap-actions-trino-deny-dominates-in-any
    JSON
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
              "BootstrapActions":[
            {
              "Name":"Install Spark OLAC in Master Node",
              "ScriptBootstrapAction":{
                "Path":"s3://elasticmapreduce/bootstrap-actions/run-if",
                "Args":[
                  {
                    "Fn::Sub":"instance.isMaster=true"
                  },
                  {
                    "Fn::Sub":"export EMR_TRINO_RANGER_PLUGIN_OPTION_DENY_DOMINATES_IN_ANY=true ; wget ${PrivaceraDownloadUrl}/privacera_emr.sh ; chmod +x ./privacera_emr.sh ; sudo -E ./privacera_emr.sh spark-olac"
                  }
                ]
              }
            },
            {
              "Name":"Install Spark OLAC in Core Node",
              "ScriptBootstrapAction":{
                "Path":"s3://elasticmapreduce/bootstrap-actions/run-if",
                "Args":[
                  {
                    "Fn::Sub":"instance.isMaster=false"
                  },
                  {
                    "Fn::Sub":"export EMR_TRINO_RANGER_PLUGIN_OPTION_DENY_DOMINATES_IN_ANY=true ; wget ${PrivaceraDownloadUrl}/privacera_emr.sh ; chmod +x ./privacera_emr.sh ; sudo -E ./privacera_emr.sh spark-olac"
                  }
                ]
              }
            }
          ]

    Note

    • Set to true to enable deny-dominates behavior: an explicit deny policy takes precedence over an allow policy for access types set to _any (for example, SHOW TABLES).
    • Omitting this export (default) retains allow-dominates behavior.

  2. After updating the configuration, follow the setup steps starting from the Create EMR Cluster for triggering an EMR cluster.

Verification

After creating an EMR cluster with this configuration, verify the setting on the master node:

  1. SSH into the EMR master node.

  2. Run the following command to check both the Trino and Hive Ranger security configurations:

    Bash
    1
    grep -R -A2 "policyengine.option.deny.dominates.in.any" /usr/lib/trino/etc/ranger-conf/*.xml
    When enabled, you should see <value>true</value> for both properties:
    Text Only
    1
2
3
4
5
    /usr/lib/trino/etc/ranger-conf/ranger-hive-privacera_hive-security.xml:    <name>ranger.plugin.hive.policyengine.option.deny.dominates.in.any</name>
/usr/lib/trino/etc/ranger-conf/ranger-hive-privacera_hive-security.xml-    <value>true</value>
--
/usr/lib/trino/etc/ranger-conf/ranger-trino-security.xml:    <name>ranger.plugin.trino.policyengine.option.deny.dominates.in.any</name>
/usr/lib/trino/etc/ranger-conf/ranger-trino-security.xml-    <value>true</value>