> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ryft.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Trino

<Note>
  Trino access management is currently only supported with the [Polaris catalog](/lakehouse-management/access-management/polaris). RBAC is defined and enforced at the catalog level in Polaris - Trino acts as a query engine that forwards user identity, while Polaris evaluates the access policies.
</Note>

## Setup

To enable per-user identity forwarding, add `iceberg.rest-catalog.session=USER` to your Polaris catalog properties file (`trino/catalog/polaris.properties`). This tells Trino to pass each authenticated user's credentials to Polaris on every query, so access is evaluated per user rather than as the catalog service account (see [Trino REST catalog docs](https://trino.io/docs/current/object-storage/metastores.html#rest-catalog)).

```properties theme={null}
connector.name=iceberg
iceberg.catalog.type=rest
iceberg.rest-catalog.uri=<polaris-host>/api/catalog
iceberg.rest-catalog.warehouse=<catalog-name>
iceberg.rest-catalog.security=OAUTH2
iceberg.rest-catalog.oauth2.server-uri=<polaris-host>/api/catalog/v1/oauth/tokens
iceberg.rest-catalog.oauth2.credential=<service-client-id>:<service-client-secret>
iceberg.rest-catalog.oauth2.scope=PRINCIPAL_ROLE:ALL
iceberg.rest-catalog.session=USER
```

<Note>
  The `session=USER` passthrough has known compatibility issues with some IdPs. If you encounter this, users can manually pass their IdP JWT to trino-cli via `--extra-credential "token=<jwt>"` - Trino's Iceberg REST client will use it directly as a Bearer credential.
</Note>