Skip to content

Advanced Configuration for Access Management for Trino

Use Custom Service Repo

Creating a Service Repo

To create a custom service repo, refer to Creating a Service repo.

Configure Custom Repo Name

  • Open the values.yaml file for editing:
    Bash
    1
2
    cd ~/privacera-trino-plugin
vi values.yaml

  • Update the values.yaml file with the following configuration:

    YAML
    1
2
3
    env:
  - name: TRINO_HIVE_POLICY_REPO_CATALOG_MAPPING
    value: "custom_repo_1:catalog_1;custom_repo_2:catalog_2,catalog_3"

    Note

    If the custom service repo is not defined, the plugin will use service repos starting with privacera by default.

Validation/Verification

To confirm the successful association of the custom S3 service repo, perform the following steps:

  1. Prerequisites:
    • A custom service repository is created using the steps above on the PrivaceraCloud portal under SQL Repo.
  2. Steps to Validate:
    1. Once your Trino cluster is up and running, open the /etc/trino/access-control.properties file and ensure that the following property is updated with the custom service repository name:
      YAML
      1
      ranger.hive.policy.repo.catalog.mapping
    2. Run the following SQL commands in the Trino CLI to validate the custom service repository:
      SQL
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
      CREATE TABLE custom_repo_1.test_table (
Emp_Id INT, 
First_Name STRING, 
Last_Name STRING
);

INSERT INTO custom_repo_1.test_table (Emp_Id, First_Name, Last_Name) VALUES (1, 'John', 'Doe'), 
(2, 'Jane', 'Smith'), (3, 'Alice', 'Johnson');

SELECT * FROM custom_repo_1.test_table;
    3. On the Privacera portal, go to Access Management -> Audits.
      • Check for the Service Name you provided when Creating a Service repo under Service Name / Type, e.g., dev_s3.
      • Verify the success or failure of the resource policy. Successful access is indicated as Allowed and a failure is indicated as Denied.

Comments