We use presto as the main data query engine to provide data query services for business parties. In our architecture, presto as a core capability requires access to data query permission control, including permission control at the table and column levels. We designed The following scheme to achieve this requirement

Area A:We use the original presto client to connect, the entire JDBC layer is deployed in kubernetes, and forwarded to the back-end gateway cluster through our self-developed ingress load balancing plug-in

Area B:Overall, we use the lyft open source project “presto-gateway”   and make some personalized modifications to suit internal needs.Behind the entire gateway cluster, we have a self-developed permission control system to control the overall query permissions. The administrator can control all presto queries in the console, freeze or kill the query , and check global monitoring. The console  also connected to the background API of the “auth-center” and provides routing services. Gateway automatically forwards requests to the back-end presto server cluster through routing services.

Area C:  There are three core services, the “auth-authority-center” provides authority control for presto queries, the “global-auth” center provides query control for global business, not only presto but also hive-client and other external query clients can be connected, and the “SQLparser” service provides SQL parsing services, which can target columns level control.