Skip to main content
Starburst access management is currently only supported with the Polaris catalog. RBAC is defined and enforced at the catalog level in Polaris - Starburst acts as a query engine that forwards user identity, while Polaris evaluates the access policies.

Setup

Starburst supports per-user identity forwarding to the Iceberg REST catalog via OAuth2 passthrough (see Starburst OAuth2 passthrough docs). Two configuration files need to be updated. First, enable delegated OAuth2 authentication in config.properties: 
http-server.authentication.type=DELEGATED-OAUTH2
web-ui.authentication.type=DELEGATED-OAUTH2
Then configure the Polaris catalog properties file: 
connector.name=iceberg
iceberg.catalog.type=rest
iceberg.rest-catalog.uri=<polaris-host>/api/catalog
iceberg.rest-catalog.warehouse=<catalog-name>
iceberg.rest-catalog.security=OAUTH2
iceberg.rest-catalog.oauth2.server-uri=<polaris-host>/api/catalog/v1/oauth/tokens
iceberg.rest-catalog.oauth2.credential=<service-client-id>:<service-client-secret>
iceberg.rest-catalog.oauth2.scope=PRINCIPAL_ROLE:ALL