Trino Gateway: Authentication & Authorization
This page covers how identity flows into the Trino Gateway and how access privileges are enforced at the gateway layer. For how queries are then authorized at the Trino + Ranger layer, see SQL Auth — Superset, Trino & Ranger.
Authentication
The gateway uses OAuth2 via Keycloak (defaultType: oauth). There are two access paths:
Browser (direct): Users accessing the Trino Gateway UI are redirected to Keycloak login. The gateway validates the returned token and maps roles from the roles claim.
API via BFF: Programmatic access (cluster management, routing rule updates) goes through the BFF (/trino/* routes). The BFF validates the caller's JWT, performs a Keycloak token exchange scoped to the Trino Gateway audience, and forwards the exchanged token to the gateway.
Authorization
The gateway enforces three privilege levels, mapped from Keycloak roles in the roles claim:
| Gateway privilege | Keycloak role match | Access |
|---|---|---|
admin | ADMIN, platform_admin, data_engineer | Full gateway management — clusters, routing rules, user API |
user | USER, platform_admin, data_engineer | Query execution, dashboard history |
api | API, platform_admin, data_engineer | Programmatic API access |
If a token carries none of the matched roles, the gateway rejects the request.
Gateway privileges control access to the gateway itself (cluster registration, routing rules, query history). They are separate from Trino + Ranger policies, which govern what data a user can query once routed to a Trino cluster. See SQL Auth — Superset, Trino & Ranger.
Fallback: Password Auth
A gateway preset user with ADMIN_USER_API privileges is always provisioned. Its password is stored in the trino-gw-basic-auth Kubernetes secret in the trino namespace. This account is used for internal API calls (e.g. routing rule updates) and as a break-glass fallback.
To switch the default auth type to password (e.g. for debugging):
authentication:
defaultType: form
Go Deeper
- Token Exchange and Data Access — high-level overview of the token exchange model
- SQL Auth — Superset, Trino & Ranger — how queries are authorized at the Trino + Ranger layer