12.6. System Access Control

By default, the Presto coordinator allows any principal to run queries as any Presto user. In a secure environment, this is probably not desirable behavior and likely requires customization.

SystemAccessControl implementations have several responsibilities:

• Verifying whether or not a given principal is authorized to execute queries as a specific user.
• Performing access checks across all catalogs. These access checks happen before any connector specific checks and thus can deny permissions that would otherwise be allowed by .

Configuration

After a plugin that implements SystemAccessControl and SystemAccessControlFactory has been installed on the coordinator, it is configured using an file. All of the properties other than access-control.name are specific to the SystemAccessControl implementation.

Example configuration file: