All integrations
Apache Trino
Authorization extensions

Policy-driven authorization for Apache Trino

Control who can query which catalogs, schemas, and tables in Apache Trino using the same Cerbos policies that govern your application.

Native Apache Trino support

Native Apache Trino support

Cerbos speaks Apache Trino's native protocol, no custom glue code required

Unified policies

Unified policies

The same CEL-based policies that govern your application layer extend to your infrastructure

Defense in depth

Defense in depth

Authorization at every layer of your stack, managed from a single control plane

How Cerbos works with Apache Trino

Apache Trino provides a native integration point for Cerbos, extending policy-driven authorization to another layer of your stack without custom glue code.

Cerbos policies are written in human-readable YAML supporting RBAC, ABAC, and conditional rules. The same policies that govern your application layer now extend to Apache Trino, enforced consistently everywhere.

A unified control plane means one set of policies, one audit trail, and one management workflow, regardless of how many services and infrastructure layers your system spans.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

Fine-grained data access control for Apache Trino

Apache Trino enables fast, distributed SQL queries across multiple data sources. As adoption grows within an organization, controlling who can access which data becomes critical, especially for sensitive datasets subject to compliance requirements.

Cerbos integrates directly with Apache Trino's authorization framework to provide fine-grained, policy-driven access control at the catalog, schema, table, and column level.

How it works

  1. A user submits a query to Apache Trino, referencing one or more catalogs, schemas, and tables.
  2. Apache Trino calls Cerbos for each authorization check, passing the authenticated user, the target resource, and the requested operation.
  3. Cerbos evaluates your policies, checking user roles, resource attributes, data classification labels, and any custom conditions.
  4. Apache Trino enforces the decisions, allowing the query to proceed or returning an access denied error.

Column-level security and data governance

Cerbos policies can restrict access at the column level, making it straightforward to implement data masking or redaction for sensitive fields. Define policies based on data classification labels, PII columns visible only to compliance roles, financial data restricted to the finance department.

Powered by Cerbos Synapse

Cerbos Synapse provides the Apache Trino integration through a route extension that implements Trino's system access control SPI. Synapse translates each authorization check into a Cerbos policy evaluation and can enrich requests with data from identity providers, databases, and other configured sources before the decision is made.

Get started

Cerbos authorization for Apache Trino is available as part of Cerbos Synapse. Talk to us to learn more about securing your Apache Trino deployment with Cerbos policies.

FAQ

How does Cerbos integrate with Apache Trino?

Cerbos implements Apache Trino's system access control SPI. When users run queries, Apache Trino delegates authorization checks to Cerbos, which evaluates your policies against the user's identity, the catalog/schema/table being accessed, and the operation being performed.

What level of access control does Cerbos provide for Apache Trino?

Cerbos can authorize at every level Apache Trino supports, catalog access, schema visibility, table and column-level permissions, and query execution. You can write policies that restrict specific users to read-only access on certain schemas or limit column visibility based on data classification.

Can I manage Apache Trino and application authorization in one place?

Yes. Cerbos provides a single policy engine for both your application and data platform. The same policy language and management workflows apply across your entire stack.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
AWS App Mesh
AWS App MeshCerbos authorization via Envoy ext_authz within AWS App Mesh sidecars
Authorization extensions
Consul Connect
Consul ConnectCerbos authorization via Envoy ext_authz within Consul Connect sidecars
Authorization extensions
Contour
ContourCerbos authorization via Envoy ext_authz at the Contour ingress controller
Authorization extensionsAPI gateways
Emissary-Ingress
Emissary-Ingress (Ambassador)Cerbos authorization via Envoy ext_authz at the Emissary-Ingress API gateway
Authorization extensionsAPI gateways
Envoy
Envoy External AuthorizationCerbos as a native ext_authz gRPC service for Envoy proxies
Authorization extensionsAPI gateways
Gloo Gateway
Gloo GatewayCerbos authorization via Envoy ext_authz at the Gloo Gateway edge
Authorization extensionsAPI gateways

Cerbos + Apache Trino

  • Apache Trino delegates authorization to Cerbos via native integration
  • One set of policies enforced across the entire stack
  • Unified audit trail for all authorization decisions
  • Policies managed without code changes or redeployments
Book a free policy workshopTry the Playground