Credentials propagation in Trino
Overview
Credentials propagation allows Trino to authenticate connectors — such as ADB, PostgreSQL, ClickHouse, and others, on behalf of the currently logged-in user. This ensures secure, user-specific access to data sources.
This article explains how to enable and configure credentials propagation for Trino in Arenadata clusters.
|
NOTE
This feature works for JDBC-like connectors and when using HTTP authentication with password (the |
Enable credentials propagation
When arenadata.http-server.authentication.password.populate-extra-credentials is set to true, Trino automatically adds the username and password from the current session to the extra credentials. The configured connector reads these credentials and authenticates the query on behalf of the user.
To enable credentials propagation via ADCM:
-
In ADCM, select your ADH cluster.
-
Navigate to Services → Trino → Components → Trino Coordinator/Trino Worker and toggle Show advanced.
-
Open the Custom node.properties section and click Add property.
-
Enter
arenadata.http-server.authentication.password.populate-extra-credentialsas the field name andtrueas the value. -
Save the configuration by clicking Save and restart a component by selecting Actions → Restart.
For each connector that should use the propagated credentials, add the following properties to the connector configuration file:
user-credential-name=arenadata.username
password-credential-name=arenadata.passwordFor more information on how to configure connectors, see Overview of Trino connectors.
Example
To verify that credentials propagation works correctly:
-
Connect to Trino using CLI. The example command for connection:
$ ./trino https://<coordinator_host>:18188 --user=<username> --password -
Enter the password when prompted.
-
Run a query against a connector that uses the propagated credentials:
SHOW TABLES FROM adb.default;
The connector will authenticate using the provided user credentials.