-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathsystem-access-control.html
116 lines (103 loc) · 5.58 KB
/
system-access-control.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>10.6. System Access Control — Presto 0.204 Documentation</title>
<link rel="stylesheet" href="../_static/presto.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '0.204',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="top" title="Presto 0.204 Documentation" href="../index.html" />
<link rel="up" title="10. Developer Guide" href="../develop.html" />
<link rel="next" title="10.7. Password Authenticator" href="password-authenticator.html" />
<link rel="prev" title="10.5. Functions" href="functions.html" />
</head>
<body role="document">
<div class="header">
<h1 class="heading"><a href="../index.html">
<span>Presto 0.204 Documentation</span></a></h1>
<h2 class="heading"><span>10.6. System Access Control</span></h2>
</div>
<div class="topnav">
<p class="nav">
<span class="left">
« <a href="functions.html">10.5. Functions</a>
</span>
<span class="right">
<a href="password-authenticator.html">10.7. Password Authenticator</a> »
</span>
</p>
</div>
<div class="content">
<div class="section" id="system-access-control">
<h1>10.6. System Access Control</h1>
<p>Presto separates the concept of the principal who authenticates to the
coordinator from the username that is responsible for running queries. When
running the Presto CLI, for example, the Presto username can be specified using
the <code class="docutils literal"><span class="pre">--user</span></code> option.</p>
<p>By default, the Presto coordinator allows any principal to run queries as any
Presto user. In a secure environment, this is probably not desirable behavior
and likely requires customization.</p>
<div class="section" id="implementation">
<h2>Implementation</h2>
<p><code class="docutils literal"><span class="pre">SystemAccessControlFactory</span></code> is responsible for creating a
<code class="docutils literal"><span class="pre">SystemAccessControl</span></code> instance. It also defines a <code class="docutils literal"><span class="pre">SystemAccessControl</span></code>
name which is used by the administrator in a Presto configuration.</p>
<p><code class="docutils literal"><span class="pre">SystemAccessControl</span></code> implementations have several responsibilities:</p>
<ul class="simple">
<li>Verifying whether or not a given principal is authorized to execute queries as a specific user.</li>
<li>Determining whether or not a given user can alter values for a given system property.</li>
<li>Performing access checks across all catalogs. These access checks happen before
any connector specific checks and thus can deny permissions that would otherwise
be allowed by <code class="docutils literal"><span class="pre">ConnectorAccessControl</span></code>.</li>
</ul>
<p>The implementation of <code class="docutils literal"><span class="pre">SystemAccessControl</span></code> and <code class="docutils literal"><span class="pre">SystemAccessControlFactory</span></code>
must be wrapped as a plugin and installed on the Presto cluster.</p>
</div>
<div class="section" id="configuration">
<h2>Configuration</h2>
<p>After a plugin that implements <code class="docutils literal"><span class="pre">SystemAccessControl</span></code> and
<code class="docutils literal"><span class="pre">SystemAccessControlFactory</span></code> has been installed on the coordinator, it is
configured using an <code class="docutils literal"><span class="pre">etc/access-control.properties</span></code> file. All of the properties
other than <code class="docutils literal"><span class="pre">access-control.name</span></code> are specific to the <code class="docutils literal"><span class="pre">SystemAccessControl</span></code>
implementation.</p>
<p>The <code class="docutils literal"><span class="pre">access-control.name</span></code> property is used by Presto to find a registered
<code class="docutils literal"><span class="pre">SystemAccessControlFactory</span></code> based on the name returned by
<code class="docutils literal"><span class="pre">SystemAccessControlFactory.getName()</span></code>. The remaining properties are passed
as a map to <code class="docutils literal"><span class="pre">SystemAccessControlFactory.create()</span></code>.</p>
<p>Example configuration file:</p>
<div class="highlight-none"><div class="highlight"><pre><span></span>access-control.name=custom-access-control
custom-property1=custom-value1
custom-property2=custom-value2
</pre></div>
</div>
</div>
</div>
</div>
<div class="bottomnav">
<p class="nav">
<span class="left">
« <a href="functions.html">10.5. Functions</a>
</span>
<span class="right">
<a href="password-authenticator.html">10.7. Password Authenticator</a> »
</span>
</p>
</div>
<div class="footer" role="contentinfo">
</div>
</body>
</html>