Skip to content

User Impersonation Behavior in EMR Trino and Required Access

Impersonation

Trino is enabled with Kerberos authentication, which causes it to enforce impersonation checks. In a Hue-to-Trino workflow, Trino runs using a service principal and attempts to impersonate the end user authenticated through Hue. To allow this behavior, an explicit impersonation policy must be configured.

The user test_usrmust be explicitly granted impersonation permission on the <target user>. This allows Trino to execute queries on behalf of test_usr by impersonating the specified <target user> during query execution.

Create an Impersonation Policy in Privacera

To allow user impersonation, create or update an impersonation policy in the Privacera Portal with the following steps:

  1. Navigate to the Privacera Portal.
  2. Go to Access ManagementPolicies.
  3. Select the privacera_trino service.
  4. Click Add New Policy (or edit an existing policy, if applicable).

Configure the policy with the following values:

  • Resource Type: Trino User
    Resource Name: <target user>
  • Access Type: IMPERSONATE
  • Allowed User: test_usr

This policy allows Trino to successfully impersonate the end user when Kerberos authentication is enabled and queries are executed via Hue.