3.7. Authorization

    Every HTTP endpoint in Presto is secured by a set of roles and can only be accessed by identities that belong to one of those roles. There are three roles defined in Presto:

    • : Users who should have access to external endpoints like those needed to launch queries, check status, get output data and provides data for UI.
    • internal: Internal components of Presto (like coordinator and worker) which will have access to endpoints like launching tasks on workers and fetching exchange data from another worker.
    • admin: System administrators who will have access to internal service endpoints like those to get node status.

    Enabling Authorization

    The following steps need to be taken in order to enable authorization:

    Presto authorization requires authentication to get the accessor’s principal, so make sure you have authentication enabled.

    To enable authorization, the interface com.facebook.airlift.http.server.Authorizer must be implemented and bound. It performs the actual authorization check based on the principal of incoming request and the allowed roles of endpoint being requested.

    You can either use the preset ConfigurationBasedAuthorizer or implement your own.

    Configuration-based Authorizer

    This plugin allows you to turn on authorization support by specifying a mapping from roles to a regex for matching identities. Use the following steps to start using Configuration-based authorizer:

    1. Create a role to identity regex mapping and store it in a file.

    3. Install the Guice module com.facebook.airlift.http.server.ConfigurationBasedAuthorizerModule.

    Authorization settings is configured in the config.properties file. The authorization on the worker and coordinator nodes are configured using the same set of properties.

    The following is an example of the properties that need to be added to the config.properties file:

    Warning