Currently when I log into Starburst console as a user, I can access two catalogs in starburst:
catalog_A (created using iceberg connector) - contains all our iceberg tables from our AWS datalake.
catalog_B (created using Hive connector) - contains the dataproducts created in starburst from the iceberg tables which belong to schemas under catalog_A.
Is it possible to restrict access only to catalog_B to our users so that they can query only the dataproducts?
I do not want them to query the tables under catalog_A which contain the actual tables used to create the views (data_product).
Note: The data products are created in starburst using the starburst console.
The longer answer is around the security policies you set up, but again… YES!
The slightly longer answer is around the “security modes” of DEFINER and INVOKER as detailed at CREATE VIEW — Starburst Enterprise. Unless my brain is mush today, the Views and MVs that Starburst Enterprise creates for datasets in Data Products continue with the default behavior of DEFINER which mean the security of the account which define the views is used which allows you to disable the actual “invoker” from having to have direct access to the underlying tables (i.e. catalog_A in your example).
We have currently defined the dataproducts views as INVOKER. If I understand your reply correctly, when I change this view definition to DEFINER then any other user won’t be able to view the table(s) which created this dataproduct. Is my understanding correct?
The bummer with INVOKER is that the user executing the query needs access to the underlying tables which means you can’t hide your catalog_A tables from them.
So, yes, you are correct. With DEFINER you can make a policy that prevents your “invokers” from actually needing to have access to those underlying catalog_A tables. If the current security policies allow those users to see the catalog_A tables then they still will be able to until you lock them down.
I see. We have defined all are dataproduct views as INVOKERS.
When you say “make a policy” to lock down the users to see the catalog_A tables - Is this done by Starburst Enterprise Admin? In other words, how and where do I create/modify this security policy?
The more I think about it, I’m pretty sure the views/MVs that are created for datasets in data products, DEFINER is the mode that is selected (i.e. you don’t get to choose). This is called out at Manage data products — Starburst Enterprise.
As for “making a policy”, I’m talking about creating a RBAC access policy with our built-in access controls (BIAC) policy manager, Apache Ranger, or whatever policy manager your Starburst Enterprise cluster has configured. A few notes on this at Data products overview — Starburst Enterprise.
The full Starburst Enterprise admin should have rights to create these, but just as likely, others also have this right. It generally is not granting to everyone as then everyone could create rules for themselves to do whatever they want.
