New • From static ACL JSON to dynamic, auditable authorization

Upgrade Trino Security:
From ACL JSON to a Policy‑Driven future

Centralize authorization with OPA, ship changes via GitOps, unlock ABAC, and get audit‑ready — without slowing queries.

Book a 30‑min Architecture Review See why teams switch →

≤10ms

Policy eval overhead

100%

ACL parity at Phase 1

24×7

Decision audit trail

Trino

input := { "principal": "finance-analyst", "catalog": "catalog_a", "schema": "transactions", "table": "payments", "privilege": "SELECT", "user_region": "EU", "column_sensitivity": "PII" } allow { input.privilege == "SELECT" input.user_region == "EU" input.column_sensitivity != "Restricted" }

OPA evaluates context‑aware policies at query‑time. Ship via GitOps, audit every decision.

Why move beyond static ACLs?

Auditability

Every decision is logged. Stream to SIEM or your audit lake for continuous evidence.

Human‑Readable Policies

Express complex row/column rules in Rego/YAML. No more brittle JSON sprawl.

GitOps & Delegation

Policies live in Git with PR reviews. Domains own their namespaces without breaking global rules.

Outcome: Centralized, version‑controlled authorization with domain autonomy and full observability.

How it works

Trino ↔ AuthZ Hook

Trino queries call a lightweight sidecar/plugin which asks the policy engine for a decision.

OPA / Policy Engine

Evaluates RBAC + ABAC rules with context (identity, data tags, time, region, sensitivity).

Observability

Decision logs shipped to ELK/Grafana/SIEM. Build dashboards for reviews & attestation.

Compatibility: Phase 1 maintains complete policy parity with existing ACL JSON to ensure a safe cutover.

The Roadmap

1. BaselineMirror ACL JSON → OPA

2. GitOpsPolicies in Git + PR flow

3. Fine‑GrainedCatalog/Schema/View/Function

4. DelegationPer‑domain namespaces

5. AuditDecision logs → SIEM

6. ABACDynamic attributes

7. OptimizeCache & partial eval

From ACL JSON → Rego (example)

Before (ACL JSON)

{ "catalogs": { "cosmos": { "allow": [{ "principal": "finance-analyst", "privileges": ["SELECT"], "schemas": ["transactions"], "tables": ["payments"] }] } } }

After (Policy)

package trino.authz default allow = false allow { input.principal == "finance-analyst" input.catalog == "cosmos" input.schema == "transactions" input.table == "payments" input.privilege == "SELECT" }

ABAC Enrichment

allow { input.role == "data-analyst" input.column_sensitivity == "PII" input.user_region == "EU" time.now_ns() >= time.parse_rfc3339_ns("2025-01-01T00:00:00Z") }

Ready to modernize Trino authorization?

We’ll review your current ACL JSONs, map them to policy modules, set up GitOps, and enable audit trails — usually in days, not months.

Request Architecture Review View migration phases See example code

Need a tailored POC on your stack (Kubernetes, ArgoCD/Flux, OpenMetadata tags, Trino functions)? We can deliver a week-long sprint.

Upgrade Trino Security: From ACL JSON to a Policy‑Driven future