11.6. System Access Control

    By default, the Presto coordinator allows any principal to run queries as anyPresto user. In a secure environment, this is probably not desirable behaviorand likely requires customization.

    SystemAccessControlFactory is responsible for creating aSystemAccessControl instance. It also defines a SystemAccessControlname which is used by the administrator in a Presto configuration.

    • Verifying whether or not a given principal is authorized to execute queries as a specific user.
    • Performing access checks across all catalogs. These access checks happen beforeany connector specific checks and thus can deny permissions that would otherwisebe allowed by .
    The implementation of SystemAccessControl and SystemAccessControlFactorymust be wrapped as a plugin and installed on the Presto cluster.

    Configuration

    The access-control.name property is used by Presto to find a registeredSystemAccessControlFactory based on the name returned by. The remaining properties are passedas a map to SystemAccessControlFactory.create().

    Example configuration file: