Release 480-e STS (14 May 2026)

Starburst Enterprise platform (SEP) 480-e STS is the follow up SEP release to 479-e LTS release.

This release is a short term support (STS) release.

It includes all improvements from the following Trino release:

• Trino 480

Breaking changes

• Removed support for storing AI Agent sessions in coordinator memory. Sessions are now only stored in the Insights database. You must update your configuration file to remove the following properties or the cluster fails to start.

  • ai.agent.session-storage

  • ai.agent.max-sessions

  • ai.agent.session-inactivity-timeout

• Removed support for Glue v1 SDK. glue now defaults to Glue v2 across all connectors. The following configuration properties used Glue v1 and are no longer applicable. You must update your configuration file to remove the old properties.

  • hive.metastore-cache.cache-partitions

  • hive.metastore-cache.cache-missing

  • hive.metastore-cache.cache-missing-partitions

  • hive.metastore-cache.cache-missing-stats

• The snowflake_jdbc connector has reached end of support as of 480-e and will be removed in the August 2026 LTS release. You must migrate to the snowflake_parallel connector before upgrading beyond 480-e. Clusters with snowflake_jdbc still configured will fail to start.

• The enable-large-dynamic-filters configuration property and the corresponding enable_large_dynamic_filters session property have been removed. Remove these from your configuration before upgrading.

• The dynamic-filtering.small* and dynamic-filtering.large-broadcast* configuration properties have been removed. Remove any references from your configuration before upgrading.

• The following configuration properties have been removed across the Delta Lake, Hive, Hudi, and Iceberg connectors. Update your connector configurations before upgrading:

  • hive.write-validation-threads: removed with no replacement.

  • hive.fs.new-file-inherit-ownership: removed with no replacement.

  • gc.use-access-token: removed with no replacement. Update your GCS authentication configuration accordingly.

  • parquet.optimized-writer.validation-percentage: use parquet.writer.validation-percentage instead.

  • hive.parquet.writer.block-size: use parquet.writer.block-size instead.

  • hive.parquet.writer.page-size: use parquet.writer.page-size instead.

• The live files table metadata cache has been removed. The configuration properties metadata.live-files.cache-size, metadata.live-files.cache-ttl, and checkpoint-filtering.enabled are no longer recognized and must be removed from your Delta Lake connector configuration. Clusters fail to start if these properties are present.

• The iceberg.extended-statistics.enabled configuration property and the extended_statistics_enabled session property have been removed. Extended statistics are now always enabled and no longer require explicit configuration.

• The default Trino type mapping for the Iceberg variant data type has changed from JSON to variant in Iceberg format version 3 tables. To restore the previous mapping, use the iceberg.legacy-variant-type-mapping=JSON configuration property.

• Support for reading MySQL BIT(n) columns where n > 1 has been removed. This behavior was previously incorrect. Queries that relied on reading multi-bit BIT columns from MySQL now fail. Review any affected queries or table schemas before upgrading. - Support for reading SingleStore BIT(n) columns where n > 1 has been removed. Review any affected queries or table schemas before upgrading.

• Support for TypeSignatureParameter, ParameterKind, NamedType, NamedTypeSignature, and NamedTypeParameter has been removed from the SPI.

• The Confluent Kafka version in SEP was upgraded to 5.5.0. To maintain connectivity, make the following changes to the Kafka JAAS configuration:

  • If your configuration uses the login module class name org.eclipse.jetty.jaas.spi.PropertyFileLoginModule, replace it with the login module class name org.eclipse.jetty.security.jaas.spi.PropertyFileLoginModule.

  • The serviceName property must now be explicitly configured. For example:

  user_admin="admin1"
  serviceName="broker1.test.confluent.io";
  

• The method of defining admin users for Starburst Portal changes as of this release. If you have a legacy YAML configuration file for Starburst Gateway, any of its authorization and presetUsers blocks are now silently ignored. Instead, you must configure starburst.access-control.authorized-users or starburst.access-control.authorized-groups or both. Portal now fails to start without at least one of these properties in its /etc/starburst/config.properties file. In addition, configure an internal communication shared secret for Portal with the internal-communication.shared-secret property. Note also the following changes:

  • /ui/api/userinfo response: roles is now a set with lowercase values (such as admin instead of ADMIN)

  • /ui/api/info response: the accessControlType field was removed

  • /public/api/v1/backend endpoints now require admin credentials (they previously required an API role)

General

• CTE reuse is now generally available.

• Data product sharing is now generally available.

• Added public preview for Data Products as Code.

• Added support for OAuth 2.0 token passthrough with the native GCS file system.

• Added support for AWS S3 Multi-Region Access Points (MRAPs) in the S3 file system.

• Added support for managing descriptions of catalogs, schemas, tables, and columns within the catalog explorer.

• Added support for Alibaba Cloud Secret Manager as an external configuration provider.

• The Starburst Portal was renamed to Starburst Control Plane.

• Worksheets in the Starburst Control Plane query editor are now persistent. Queries are no longer lost when the page is refreshed.

• The Starburst-packaged Hive Metastore Service (HMS) image has reached end of support as of 480-e. Starting with the August 2026 LTS release, SEP will no longer include a packaged HMS image. Migrate to Starburst data catalog before upgrading beyond 480-e.

• The persistence.query-history.retention-time configuration property is deprecated and replaced by persistence.retention.max-age. Existing configurations continue to work but should be updated to use the new property name.

• The HMS to Starburst Data Catalog migration tool now automatically detects and processes all catalogs found in the source environment, rather than being restricted to the default catalog.

• The HMS to Starburst Data Catalog migration tool now processes schemas in parallel rather than sequentially, improving migration speed for environments with many schemas.

• The HMS to Starburst Data Catalog migration tool now supports Kerberos-secured HMS instances. A new -c/--properties-file argument accepts a Java .properties file containing Thrift metastore client configuration. This lets you manage complex configurations in a single file rather than passed as individual command-line arguments.

• The export command of the HMS to Starburst Data Catalog migration tool now generates a JSON summary report at exportStats/export.json within the user-supplied folder, including the number of schemas and tables processed and any failures that occurred.

• Iceberg materialized views that use non-deterministic scalar functions such as current_timestamp, current_date, localtimestamp, localtime, or random() are now correctly identified as potentially stale.

• Refreshing a materialized view that uses non-deterministic functions now always performs a full refresh instead of an incremental refresh. Forcing full refresh ensures the materialized view accurately reflects the current state of the base query.

• The SEP login screen has been updated for improved accessibility and design. No configuration changes are required.

• Added support for rebasing legacy dates and timestamps in Parquet files written by Spark. SEP now detects Parquet files written by Spark with legacy calendar (Julian-Gregorian hybrid) dates and timestamps, and converts them to the proleptic Gregorian calendar for correct display.

• Fixed an issue where managed statistics connections could fail due to trust issues with automatically generated certificates used for secure internal communication.

• Fixed an issue where creating a view based on a partitioned table would fail when Starburst Data Catalog was configured as the metastore with Oracle as the persistence backend due to an empty string being bound as the partition location.

• Fixed an issue in Starburst Data Catalog with MySQL, where column statistics for high-precision DECIMAL column types failed due to insufficient precision in internal table definitions.

• Fixed an issue where any user with privileges to add grants on a table, schema, or other entity could also add column masks and row filters on that entity through the Add privileges UI. Adding a column mask or row filter now requires the appropriate APPLY privilege on the user’s role.

• Fixed compression_codec table property values written by Trino not conforming to the Iceberg specification, causing Spark to fail when reading these tables.

• Fixed a regression which introduced over-validation of compression_codec property values on read, causing Trino to error when encountering tables written by Spark.

• Fixed an issue where schema discovery failed when fault-tolerant execution was configured with retry-policy=TASK.

• Fixed a bug in data product search where SQL LIKE wildcard characters % and _ in search strings were not escaped, causing incorrect results.

• Fixed a bug where searching for % in data products returned an HTTP 400 error due to redundant URL decoding.

• Fixed an issue where Starburst Control Plane cluster monitoring failed when clusters were configured to require HTTP/2 for internal communication.

• Fixed a possible connection leak in JDBC connectors when collecting managed statistics.

Security

• The embedded Apache MINA networking library has been upgraded to version 2.2.7 to mitigate the following CVEs:

  • CVE-2026-42778

  • CVE-2026-42779

• Added a database name provider option for Hive Ranger access control that determines how SEP schema names are mapped to Ranger database names.

• Added STARBURST_LOCAL as a ranger.user-group-source option to resolve user groups locally without syncing user and group data back to Ranger.

• Added AppRole and Kubernetes authentication methods for the Vault secrets provider.

• Added support for the AppRole pull mode authentication in the Vault secrets provider.

• Non-administrator roles can now manage column mask and row filter expressions through the access control UI.

• Non-administrator roles can now grant permissions to apply column mask and row filter expressions to tables through the access control UI. A role must hold APPLY_COLUMN_MASK_WITH_GRANT_OPTION or APPLY_ROW_FILTER_WITH_GRANT_OPTION for a given expression to grant apply permission to another role.

• OAuth authentication with JDBC, ODBC, and CLI clients now prompts for confirmation before redirecting to the identity provider.

• Fixed an issue where Ranger access control denied queries on information_schema even when the user had access to the underlying tables.

• Fixed an issue where metadata tables such as table$history and table$partition could not be entered in the table or view selector when adding privileges in the access control UI.

• Fixed a vulnerability in Data Product comment endpoints where comment ownership was not validated against the data product specified in the request. This allowed users to modify or vote on comments belonging to data products they should not have had access to. The following endpoints are affected: upvote, delete-vote, update, and delete comment.

Starburst AI

• Added public preview support for the Starburst AI Data Assistant (AIDA), a new conversational analytics assistant.

• Added support for creating interactive charts from query results in AIDA.

• Added support for searching and retrieving data products via the MCP server.

• Added support for customizing the AI Agent persona prompts.

• Added data profiling to the AI Agent to improve natural language to SQL accuracy.

• Added a stop button to AIDA’s chat dialog that lets you cancel an in-progress response after submitting a prompt.

BigQuery connector

• Added support for dynamic connection passthrough.

• Added support for renaming tables within the same schema.

ClickHouse connector

• Upgraded the bundled ClickHouse JDBC driver to 0.9.8.

Delta Lake connector

• Added support for OAuth 2.0 token pass-through with Token Exchange when using Unity Catalog as a metastore on AWS.

• Added support for proxy server configuration when using Unity Catalog as a metastore with the Delta Lake connector.

• Removed support for Glue v1 SDK. glue now defaults to Glue v2 across all connectors.

• Fixed an issue where extra credentials provided in authentication passthrough scenarios were not being used when accessing files on storage.

• Fixed an issue where Google Cloud Storage object names containing # or ? characters were blocked when using native file system support.

• Fixed failure reading Delta Lake checkpoints created by CREATE OR REPLACE TABLE when the schema differs.

Generic JDBC connector

• Added support for CData OEM authentication.

Great Lakes connector

• Added support for built-in access control.

• Added support for table scan redirection.

Hive connector

• Added support for OAuth 2.0 token pass-through with Token Exchange when using Unity Catalog as a metastore on AWS.

• Added support for proxy server configuration when using Unity Catalog as a metastore with the Hive connector.

• Removed support for Glue v1 SDK. glue now defaults to Glue v2 across all connectors.

• Fixed an issue where Google Cloud Storage object names containing # or ? characters were blocked when using native file system support.

Iceberg connector

• Added support for tagging.

• Added support for OAuth 2.0 pass-through with Token Exchange using the Iceberg REST catalog.

• Added support for dynamic configuration passthrough.

• Added support for the optimize_position_deletes table procedure.

• Added support for using partitioned tables with the add_files table procedure.

• Removed support for Glue v1 SDK. glue now defaults to Glue v2 across all connectors.

• Fixed an issue where Google Cloud Storage object names containing # or ? characters were blocked when using native file system support.

• Fixed excessive memory usage when writing partition statistics for Iceberg tables with large numbers of partitions.

Oracle connector

• Added support for Azure managed identity authentication.

• Fixed query failures when reading Oracle FLOAT columns with out-of-range precision values.

Singlestore connector

• Added support for pushdown of join conditions on VARCHAR columns when the singlestore.experimental.enable-string-pushdown-with-binary configuration property or the corresponding enable_string_pushdown_with_binary session property is set to true alongside join pushdown.

• Added support for pushdown of type casts between DATE, TIMESTAMP, and VARCHAR types in projections, aggregations, and join conditions, including the DATE() function applied to a TIMESTAMP column.

• Added support for complex predicate pushdown on DATE and TIMESTAMP columns, including disjunctive OR predicates.

Snowflake connector

• The snowflake_jdbc connector has reached end of support as of 480-e and will be removed in the August 2026 LTS release. Migrate to the snowflake_parallel connector before upgrading beyond 480-e to avoid disruption.

Starburst Stargate connectors

• Added support in both the Stargate and Stargate parallel connectors for JWT pass-through authentication with a remote cluster. To use either OAuth 2.0 token or JWT pass-through authentication in the Stargate connectors, set the stargate.authentication.type catalog configuration property to TOKEN_PASSTHROUGH. The former value of OAUTH2_PASSTHROUGH remains valid for backward compatibility with OAuth2 configurations.