Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Trino authorization, row masking, and policy translation at runtime


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Trino authorization requests can be translated into Cerbos policy checks, enriched with identity attributes, and returned as table access, row filters, and column masks in the format Trino expects, according to Cerbos. The real change is governance, not convenience: authorization becomes portable, auditable, and attribute-driven across systems that do not share a common policy protocol.

NHIMG editorial — based on content published by Cerbos: Synapse orchestration for Trino authorization, row filtering, and column masking

Questions worth separating out

Q: How should security teams govern authorization when applications do not speak the same policy protocol?

A: Use a central policy model with protocol adapters, but assign explicit ownership for the translation layer, the policy store, and the identity attributes feeding decisions.

Q: Why do identity attributes matter so much in row-level security and column masking?

A: Because the policy engine often needs more context than the application request contains.

Q: What do teams get wrong when they centralise policy for analytics platforms?

A: They often focus on the policy syntax and ignore the lifecycle around it.

Practitioner guidance

  • Map every protocol bridge to a governance owner Document which team owns the translation layer, the policy source, and the attribute source for each system that consumes external authorization decisions.
  • Validate identity attributes before using them in policy Check that department, role, clearance, and similar attributes are sourced from a trusted identity provider and refreshed at decision time.
  • Test all three authorization outcomes separately Create test cases for allow or deny decisions, row filters, and column masks so each output is validated independently before deployment.

What's in the full article

Cerbos' full article covers the operational detail this post intentionally leaves for the source:

  • The exact Trino OPA request and response shapes used during query execution
  • Policy snippets for access control, row filters, and column masks in Cerbos format
  • The full walkthrough of how Synapse enriches principals with identity-provider attributes
  • The operational flow for distributing, testing, and auditing policies through Cerbos Hub

👉 Read Cerbos' walkthrough of Synapse for Trino policy orchestration →

Trino authorization, row masking, and policy translation at runtime?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Policy translation is becoming part of identity governance, not just application plumbing. Once authorization spans multiple protocols, the governance problem moves above the application and into the orchestration layer. That matters because policy drift can now occur in the adapter, in the attribute source, or in the policy itself, even when the calling system remains unchanged. Practitioners should treat protocol mediation as a governed control surface, not an implementation convenience.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.

A question worth separating out:

Q: How do you know whether query-time masking is actually protecting sensitive data?

A: You need evidence from the full decision path, not just the final query result. Review what rows were filtered, what column expressions were returned, which attributes were used, and whether the policy state was logged for later inspection. If you cannot reconstruct those four elements, the control is not fully observable.

👉 Read our full editorial: Cerbos Synapse makes Trino policy decisions portable across systems



   
ReplyQuote
Share: