trino
trino copied to clipboard
Published
20 hours ago •
trinodb
trinodb
Rules.json for file-based access control can't allow only single tables.
I'm using trino 465 into a k8s cluster, and the access control is working as fine. But when i try to allow a user XPTO to read-only a single table, my whole rules stop working.
# This work:
rules:
rules.json: |-
{
"catalogs": [
{
"user": "nelson.neto",
"catalog": ".*",
"allow": "all"
},
{
"group": "datalake-trino-users",
"catalog": "lakehouse",
"allow": "read-only"
}
]
}
# This doesn't work:
rules:
rules.json: |-
{
"catalogs": [
{
"user": "nelson.neto",
"catalog": ".*",
"allow": "all"
},
{
"group": "datalake-trino-users",
"catalog": "lakehouse",
"allow": "read-only"
}
],
"tables": [
{
"catalog": "lakehouse",
"schema": "ani",
"table": "hst_etapas_workflow",
"user": "XPTO",
"privileges": [
"SELECT"
]
}
]
}
Even when i try to remove catalogs rules and set only tables rules. When i pass ".*" it works well, but specifying the catalog/schema/table it doesn't work.
Example:
# This works:
rules:
rules.json: |-
{
"tables": [
{
"catalog": ".*",
"schema": ".*",
"table": ".*",
"user": "nelson.neto",
"privileges": ["SELECT"]
}
]
}
# This doesn't work:
rules:
rules.json: |-
{
"tables": [
{
"catalog": "lakehouse",
"schema": ".*",
"table": ".*",
"user": "nelson.neto",
"privileges": ["SELECT"]
}
]
}
The second rule returns me:
Erro SQL [4]: Query failed (#20250524_012011_00020_q8qtq): Access Denied: Cannot select from table system.jdbc.tables
Query failed (#20250524_012011_00020_q8qtq): Access Denied: Cannot select from table system.jdbc.tables
Query failed (#20250524_012011_00020_q8qtq): Access Denied: Cannot select from table system.jdbc.tables
io.trino.spi.security.AccessDeniedException: Access Denied: Cannot select from table system.jdbc.tables
Access Denied: Cannot select from table system.jdbc.tables
