6.13. Role Based Access Control#

Using role based access control (RBAC) in SEP, you can manage authorization for large number of users and objects through the entire enterprise.

SEP supports three RBAC mechanisms

Using SQL Standard Based authorization is one way to achieve this. For an overview of this authorization option, see the documentation in SQL Standard Based Authorization.

In RBAC there is the notion of Roles and Privileges. Roles are authorization entities for which authorization privileges are granted to. Privileges can be granted to zero, one, or more roles. Users belong to one or more groups.


When configured with Apache Ranger or Apache Sentry, Presto will enforce the privileges required to access data. Unlike sql-standard based authorization, Presto does not manage granting privileges to roles when integrated with Apache Ranger or Apache Sentry. It only enforces ones set by Apache Ranger or Apache Sentry. Presto relies on an underlying mechanism such as Kerberos to authenticate the user who belongs to zero or more user groups. These groups are commonly mapped from LDAP/AD but can also be configured to be mapped from Operating System groups.

For more information on managing privileges refer to the Hortonworks or Cloudera documentation for Apache Ranger and Apache Sentry respectively:

ROLES in Presto#

When using Apache Sentry, setting a role makes that role active and the user only has those privileges applied to that role. By default all assigned roles are active and the user has the combined privileges of these roles.

See SET ROLE and SHOW ROLES for additional information.

Column Level Authorization#

Presto will enforce column level privileges granted to roles. For example, if a user is only granted access to a subset of table columns, they will only be able to query from these columns. If they execute an SQL statement that refers to other columns, the query will fail with an error.

Apache Ranger or Apache Sentry for Hive Level Security#

Presto is integrated with both Apache Ranger and Apache Sentry for RBAC support. Each are excellent options and the choice simply depends on the Hadoop distribution you are using. Apache Ranger is packaged with Hortonworks Data Platform and Apache Sentry is packaged with Cloudera Enterprise. Therefore it makes most sense to simply use what is packaged with your Hadoop distribution.

Apache Ranger is an excellent option for those not tied to a specific Hadoop distribution, or if you want to use System Level Security with Apache Ranger.