LakeQL
Overview
  • Introduction
Server Setup
  • createApiServer
  • defineConfig
  • Yoga Configuration
Authentication
  • JWT Authentication
  • Permissions
  • Scope Authorization
Schema Builder
  • Builder Configuration
  • Scalar Types
  • Comparison Types
  • Pagination
  • Input Validation
Customization
  • Custom Queries & Mutations
  • Extending Core
  • CORS Configuration
GitHub
LakeQL
  1. API
  3. Authentication
  5. Permissions

On this page

  1. Permission interface
  2. Wildcard access
  3. createPermission helper
  4. How permissions are evaluated

Permissions

Define table-level permission rules for technical users via the Permission interface.

Permissions define which catalogs, schemas, and tables a technical user can access. They act as an application-level allow list on top of Trino's built-in authorization — primarily useful for service accounts that execute queries via a shared system user.

Permission interface #

PropertyType
namestring

Username to match against currentUser.userName.

useSystemUserboolean

Whether this user’s queries run via the Trino system user.

permissionsObject

Read and write access rules.

PropertyType
└ QueryObject[]

Read access rules (catalog + schema + tables). Use ["*"] for wildcard table access.

PropertyType
└ catalogstring
└ schemastring
└ tablesstring[]
└ MutationObject[]

Write access rules (catalog + schema + tables). Use ["*"] for wildcard table access.

PropertyType
└ catalogstring
└ schemastring
└ tablesstring[]

Wildcard access #

Use ["*"] in the tables array to grant access to all tables within a catalog/schema combination:

1
2
3
4
5
6
{
  catalog: "hive",
  schema: "analytics",
  tables: ["*"] // access all tables in hive.analytics
}

createPermission helper #

For type-safe permission construction that validates against your generated configs, use the createPermission helper with defineConfig:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28import { createPermission as createPermissionFromApi } from "@lakeql/api/helpers"
import type { Permission } from "@lakeql/api/types"

import { allConfigs } from "./config-registry"

const createPermission = createPermissionFromApi(allConfigs)

export const permissions: Permission[] = [
  {
    name: "data-pipeline-service",
    useSystemUser: true,
    permissions: {
      Query: [
        createPermission("hive", "raw_data", ["events", "users", "sessions"]),
      ],
      Mutation: [createPermission("hive", "processed", ["aggregated_events"])],
    },
  },
  {
    name: "reporting-service",
    useSystemUser: true,
    permissions: {
      Query: [createPermission("hive", "analytics", ["*"])],
      Mutation: [],
    },
  },
]

How permissions are evaluated #

  • Read (Query): If no permission entry exists for a user, reads are allowed (Trino handles auth for human users). If rules exist, at least one must match the requested catalog/schema/table.
  • Write (Mutation): If no permission entry exists, writes are denied. Rules must explicitly grant access.

See Scope Authorization for the full evaluation logic.

Previous page

JWT Authentication

Next page

Scope Authorization

src/permissions.ts
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28