Skip to main content
Trino access management is currently only supported with the Polaris catalog. RBAC is defined and enforced at the catalog level in Polaris - Trino acts as a query engine that forwards user identity, while Polaris evaluates the access policies.

Setup

To enable per-user identity forwarding, add iceberg.rest-catalog.session=USER to your Polaris catalog properties file (trino/catalog/polaris.properties). This tells Trino to pass each authenticated user’s credentials to Polaris on every query, so access is evaluated per user rather than as the catalog service account (see Trino REST catalog docs). 
connector.name=iceberg
iceberg.catalog.type=rest
iceberg.rest-catalog.uri=<polaris-host>/api/catalog
iceberg.rest-catalog.warehouse=<catalog-name>
iceberg.rest-catalog.security=OAUTH2
iceberg.rest-catalog.oauth2.server-uri=<polaris-host>/api/catalog/v1/oauth/tokens
iceberg.rest-catalog.oauth2.credential=<service-client-id>:<service-client-secret>
iceberg.rest-catalog.oauth2.scope=PRINCIPAL_ROLE:ALL
iceberg.rest-catalog.session=USER
The session=USER passthrough has known compatibility issues with some IdPs. If you encounter this, users can manually pass their IdP JWT to trino-cli via --extra-credential "token=<jwt>" - Trino’s Iceberg REST client will use it directly as a Bearer credential.