Skip to content

Configure Deny Policy Dominance for Trino

Overview

By default, when Apache Ranger evaluates policies for operations that use the _any access type (for example, SHOW TABLES, SHOW SCHEMAS), an allow policy takes precedence over a deny policy for the same resource.

This feature reverses that behavior — when enabled, an explicit deny policy overrides any matching allow policy. This is useful when you want to enforce fine-grained exclusions within a broadly permitted resource scope, such as hiding specific tables inside a schema that is otherwise fully accessible.

Default behavior

This feature is disabled by default. Allow policies dominate deny policies unless explicitly configured.

How It Works

Consider a Hive schema with the following Ranger policies:

Policy Type Scope
Policy 1 Allow All tables in the schema
Policy 2 Deny A subset of tables in the same schema

The outcome of a SHOW TABLES query depends on this setting:

Setting Outcome
"false" (default — allow dominates) All tables are listed, including those covered by the deny policy
"true" (deny dominates) All tables are listed except those explicitly denied in Policy 2

Configure the Setting

  1. SSH to the instance where Privacera is installed.

  2. Navigate to the Privacera Manager configuration directory:

    Bash
    1
    cd ~/privacera/privacera-manager/config

  3. Open the Trino variables file for editing:

    Bash
    1
    vi custom-vars/vars.trino-opensource.yml

  4. Uncomment and set the following property:

    YAML
    1
    TRINO_RANGER_PLUGIN_OPTION_DENY_DOMINATES_IN_ANY: "true"

    Note

    • Set to "true" to enable deny-dominates behavior: an explicit deny policy takes precedence over an allow policy for access types set to _any (for example, SHOW TABLES).
    • Set to "false" (default) to retain allow-dominates behavior.

  5. Apply the configuration by running the Privacera Manager post-install commands:

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  6. Now rebuild the image and redeploy the application.

Verification

After applying the configuration, verify the setting on the Trino coordinator node:

  1. SSH into the Trino coordinator node.

  2. Run the following command to check both the Trino and Hive Ranger security configurations. Use the path that matches your deployment:

    Bash
    1
    grep -R -A2 "policyengine.option.deny.dominates.in.any" /etc/trino/ranger-conf/*.xml
    When enabled, you should see <value>true</value> for both properties:
    Text Only
    1
2
3
4
5
    /etc/trino/ranger-conf/ranger-hive-privacera_hive-security.xml:    <name>ranger.plugin.hive.policyengine.option.deny.dominates.in.any</name>
/etc/trino/ranger-conf/ranger-hive-privacera_hive-security.xml-    <value>true</value>
--
/etc/trino/ranger-conf/ranger-trino-security.xml:    <name>ranger.plugin.trino.policyengine.option.deny.dominates.in.any</name>
/etc/trino/ranger-conf/ranger-trino-security.xml-    <value>true</value>

    Bash
    1
    grep -R -A2 "policyengine.option.deny.dominates.in.any" /etc/starburst/ranger-conf/*.xml
    When enabled, you should see <value>true</value> for both properties:
    Text Only
    1
2
3
4
5
    /etc/starburst/ranger-conf/ranger-hive-privacera_hive-security.xml:    <name>ranger.plugin.hive.policyengine.option.deny.dominates.in.any</name>
/etc/starburst/ranger-conf/ranger-hive-privacera_hive-security.xml-    <value>true</value>
--
/etc/starburst/ranger-conf/ranger-trino-security.xml:    <name>ranger.plugin.trino.policyengine.option.deny.dominates.in.any</name>
/etc/starburst/ranger-conf/ranger-trino-security.xml-    <value>true</value>