Add documentation for AWS Security Mapping

prestodb · Jun 4, 2024 · 07c1b33 · 07c1b33
1 parent e5e6615
commit 07c1b33
Showing 1 changed file with 84 additions and 0 deletions.
diff --git a/presto-docs/src/main/sphinx/connector/hive.rst b/presto-docs/src/main/sphinx/connector/hive.rst
@@ -383,6 +383,90 @@ or credentials for a specific use case (e.g., bucket/user specific credentials).
 This Hadoop configuration property must be set in the Hadoop configuration
 files referenced by the ``hive.config.resources`` Hive connector property.
 
+AWS Security Mapping
+^^^^^^^^^^^^^^^^^^^^
+
+Presto supports flexible mapping for AWS Lake Formation and AWS S3 API calls, allowing for separate
+credentials or IAM roles for specific users.
+
+The mappings can be of two types: ``S3`` or ``LAKEFORMATION``.
+
+The mapping entries are processed in the order listed in the configuration
+file. More specific mappings should be specified before less specific mappings.
+You can set default configuration by not including any match criteria for the last
+entry in the list.
+
+Each mapping entry when mapping type is ``S3`` may specify one match criteria. Available match criteria:
+
+* ``user``: Regular expression to match against username. Example: ``alice|bob``
+
+The mapping must provide one or more configuration settings:
+
+* ``accessKey`` and ``secretKey``: AWS access key and secret key. This overrides
+  any globally configured credentials, such as access key or instance credentials.
+
+* ``iamRole``: IAM role to use. This overrides any globally configured IAM role.
+
+Example JSON configuration file for s3:
+
+.. code-block:: json
+
+    {
+      "mappings": [
+        {
+          "user": "admin",
+          "accessKey": "AKIAxxxaccess",
+          "secretKey": "iXbXxxxsecret"
+        },
+        {
+          "user": "analyst|scientist",
+          "iamRole": "arn:aws:iam::123456789101:role/analyst_and_scientist_role"
+        },
+        {
+          "iamRole": "arn:aws:iam::123456789101:role/default"
+        }
+      ]
+    }
+
+Each mapping entry when mapping type is ``LAKEFORMATION`` may specify one match criteria. Available match criteria:
+
+* ``user``: Regular expression to match against username. Example: ``alice|bob``
+
+The mapping must provide one configuration setting:
+
+* ``iamRole``: IAM role to use. This overrides any globally configured IAM role.
+
+Example JSON configuration file for lakeformation:
+
+.. code-block:: json
+
+    {
+      "mappings": [
+        {
+          "user": "admin",
+          "iamRole": "arn:aws:iam::123456789101:role/admin_role"
+        },
+        {
+          "user": "analyst",
+          "iamRole": "arn:aws:iam::123456789101:role/analyst_role"
+        },
+        {
+          "iamRole": "arn:aws:iam::123456789101:role/default_role"
+        }
+      ]
+    }
+
+======================================================= =================================================================
+Property Name                                           Description
+======================================================= =================================================================
+``hive.aws.security-mapping.type``                      AWS Security Mapping Type. Possible values: S3 or LAKEFORMATION
+
+``hive.aws.security-mapping.config-file``               JSON configuration file containing AWS IAM Security mappings
+
+``hive.aws.security-mapping.refresh-period``            Time interval after which AWS IAM security mapping configuration
+                                                        will be refreshed
+======================================================= =================================================================
+
 Tuning Properties
 ^^^^^^^^^^^^^^^^^