9.7. Role Based Access Control

Using Role-Based Access Control (RBAC) in Presto, one can manage authorization for large number of users and objects through the entire enterprise. Using SQL Standard Based authorization is one way to achieve this. For an overview of this authorization option, see SQL Standard Based Authorization.

Role-Based Access Control can be accomplished by using Apache Ranger and Apache Sentry for services that interact with Hadoop data such as Presto. In RBAC there is the notion of Roles and Privileges. Roles are authorization entities for which authorization privileges are granted to. Privileges can be granted to zero, one, or more roles. Users belong to one or more groups.

Apache Ranger and Apache Sentry are integrated with Presto Enterprise and only available from Starburst. For more information about Presto Enterprise or to obtain a free trial, please contact hello@starburstdata.com.

../_images/rbac.png

When configured with Apache Ranger or Apache Sentry, Presto will enforce the privileges required to access data. Unlike sql-standard based authorization, Presto does not manage granting privileges to roles when integrated with Apache Ranger or Apache Sentry. It only enforces ones set by Apache Ranger or Apache Sentry. Presto relies on an underlying mechanism such as Kerberos to authenticate the user who belongs to zero or more user groups. These groups are commonly mapped from LDAP/AD but can also be configured to be mapped from Operating System groups.

For more information on managing privileges refer to the Hortonworks or Cloudera documentation for Apache Ranger and Apache Sentry respectively:

ROLES in Presto

When using Apache Sentry, setting a role makes that role active and the user only has those privileges applied to that role. By default all assigned roles are active and the user has the combined privileges of these roles.

See SET ROLE and SHOW ROLES for additional information.

Column Level Authorization

Presto will enforce column level privileges granted to roles. For example, if a user is only granted access to a subset of table columns, they will only be able to query from these columns. If they execute an SQL statement that refers to other columns, the query will fail with an error.

Apache Ranger or Apache Sentry

Presto is integrated with both Apache Ranger and Apache Sentry for RBAC support. Each are excellent options and the choice simply depends on the Hadoop distribution you are using. Apache Ranger is packaged with Hortonworks Data Platform and Apache Sentry is packaged with Cloudera Enterprise. Therefore it makes most sense to simply use what is packaged with your Hadoop distribution. Apache Ranger is also an excellent option for those not tied to a specific Hadoop distribution.