We use presto as the main data query engine to provide data query services for business parties. In our architecture, presto as a core capability requires access to data query permission control, including permission control at the table and column levels. We designed The following scheme to achieve this requirement

Area A：We use the original presto client to connect, the entire JDBC layer is deployed in kubernetes, and forwarded to the back-end gateway cluster through our self-developed ingress load balancing plug-in

Area B：Overall, we use the lyft open source project “presto-gateway”   and make some personalized modifications to suit internal needs.Behind the entire gateway cluster, we have a self-developed permission control system to control the overall query permissions. The administrator can control all presto queries in the console, freeze or kill the query , and check global monitoring. The console  also connected to the background API of the “auth-center” and provides routing services. Gateway automatically forwards requests to the back-end presto server cluster through routing services.

Area C:  There are three core services, the “auth-authority-center” provides authority control for presto queries, the “global-auth” center provides query control for global business, not only presto but also hive-client and other external query clients can be connected, and the “SQLparser” service provides SQL parsing services, which can target columns level control.