Trino (PrestoSQL)
Connecting to Trino
Trino (previously known as PrestoSQL) is configured under Configuration > Apps and Data Sources > Manually Added Data Source > Add New. The following entities are discovered and supported by Veza:
Trino Instance
Trino Catalog
Trino Schema
Trino Table
Trino Column
Trino Privilege
Trino User
Trino Group
In the current release, login email address is used as the primary identifier to map IdP (Okta) identities to Trino users.β
Prerequisites
The Trino File System Access Control file must be stored as an S3 object which Veza can access using an AWS Access Key ID and Secret, or using IAM role assumption.
Veza requires a read-only Trino user to discover authorization metadata. See here for the official documentation on how to enable password authentication for your Trino coordinator and update the password file.
βHTTPS/TLS must be enabled for your Trino Coordinator.
Veza advises useing an Insight Point when connecting to production Trino environments. For testing purposes, you can use the internal Insight Point, assuming that firewall rules allow communication with Veza.
The inbound rules of the Security Group associated with your Trino cluster must allow communication with the Insight Point egress IP.
Veza Configuration
To add the data source, navigate to Administration > Configuration, open the Apps & Data Sources tab, and click "Add New" in the Manually Added Data Sources section.
Select Trino from the first dropdown, and provide the following information:
| Field | Description |
|---|---|
Name | Name to label the connection in Veza |
Host URL | The address of the Trino Coordinator |
Host Port | The port to use for the connection |
Cluster Username / Password | The username and password for the Trino account Veza will use to connect |
SSL/TLS Certificate | Trino coordinator TLS certificate |
Next, select the authentication method you will use to connect to the S3 bucket: using IAM user keys (simple authentication) or via IAM assume role (most secure).
Read S3 object with user keys
The easiest way to provide Veza access is to create a new AWS IAM user with read-only permissions to the S3 bucket, and generate an Access Key and Secret for that user. For more information, see these instructions from AWS.β
From the Veza configuration screen, input the AWS Access Key ID and Secret Access Key for the new IAM user.
Read S3 object with assume role
While user access keys provide a simple way to grant S3 object access, it's typically more secure to read the Trino Access Control file by assuming an AWS role. To do so, you will need to create an IAM role with the Veza AWS account set as the trusted entity (contact Veza Support if you need the account ID).
On the Veza configuration screen for Trino, provide the:
Role Name / Account ID - Veza will attempt to assume the named role in the specified AWS account to read the S3 object contents. Enter the role name as it appears in the AWS UI (not the full ARN).
External ID - This field must match the external ID specified for the IAM role in AWS. "Require External ID" must be enabled.
In either case, you will need to provide the path to the File System Access Control file:
| Field | Description |
|---|---|
Region | The AWS Region of the S3 bucket |
Bucket | The name of the S3 bucket |
Object | File System Access Control file object name |
Trino Configuration
In addition to the authorization configuration file, Veza requires a Trino user to gather database-level metadata. The user must have read permissions on all catalogs, specified in the authorization config file, for example:
The Trino cluster must use password authentication with HTTPS enabled. The minimum configuration to enable HTTPS is:
βFor more information, see βHTTPS and TLS: Trino Documentation.
Last updated