prestodb/presto

Pluggable Secret Management Logic in Presto

Open

#19,055 opened on Feb 14, 2023

View on GitHub
 (4 comments) (0 reactions) (0 assignees)Java (5,240 forks)batch import
Securityenhancementgood first issue

Repository metrics

Stars
 (15,558 stars)
PR merge metrics
 (Avg merge 34d 14h) (120 merged PRs in 30d)

Description

Another requirement which is really important for us to use Presto in production grade scenarios especially under the light of all audit and compliance requirements

Currently when you have a connector all the creds are stored in the usual way and its not protected

We need a a way to load secrets to presto

a) During startup b) On failure if connector needs ( especially if the secret is rotated etc) c) May be when we get events from secret management systems

Example for secret management system may be.

a) https://aws.amazon.com/secrets-manager/ b) https://www.ibm.com/cloud/secrets-manager

This could be a new plugin type and probably when the catalogues are loaded - corresponding secrets could also be loaded

Roughly interface could look like below for the new plugin


package com.facebook.presto.spi.security;

import java.util.Map;

public interface SecretsManager
{
    Map<String, String> fetchSecrets();
}

But before going this route I would like to get help from community on seeing any existing way of solving this problem

Else I would request kindly to consider this requirement

Contributor guide