10.6. System Access Control

    By default, the Presto coordinator allows any principal to run queries as anyPresto user. In a secure environment, this is probably not desirable behaviorand likely requires customization.

    SystemAccessControl implementations have several responsibilities:

    • Verifying whether or not a given principal is authorized to execute queries as a specific user.
    • Performing access checks across all catalogs. These access checks happen beforeany connector specific checks and thus can deny permissions that would otherwisebe allowed by .The implementation of SystemAccessControl and SystemAccessControlFactorymust be wrapped as a plugin and installed on the Presto cluster.

    Configuration

    The access-control.name property is used by Presto to find a registeredSystemAccessControlFactory based on the name returned by. The remaining properties are passedas a map to SystemAccessControlFactory.create().