Clarify docs for multiple access controls

trinodb · Jan 10, 2025 · 533ac31 · 533ac31
1 parent 29ae654
commit 533ac31
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 26 deletions.
diff --git a/docs/src/main/sphinx/security/built-in-system-access-control.md b/docs/src/main/sphinx/security/built-in-system-access-control.md
@@ -13,10 +13,39 @@ cluster nodes:
 access-control.name=allow-all
 ```
 
-Multiple system access control implementations may be configured at once
-using the `access-control.config-files` configuration property. It should
-contain a comma separated list of the access control property files to use
-(rather than the default `etc/access-control.properties`).
+(multiple-access-control)=
+## Multiple access control systems
+
+Multiple system access control implementations may be configured at once using
+the `access-control.config-files` configuration property. It must contain a
+comma-separated list of the access control property files to use, rather than
+the default `etc/access-control.properties`. Relative paths from the Trino
+`INSTALL_PATH` or absolute paths are supported. Each system is configured in a
+separate configuration file.
+
+The configured access control systems are checked until access rights are denied
+by a system. If no denies are issued by any system, the request is granted.
+Therefore all configured access control systems are used and evaluated for each
+request that is granted.
+
+For example, you can combine `file` access control and `ranger` access control
+with the two separate configuration files `file-based.properties` and
+`ranger.properties`.
+
+```properties
+access-control.config-files=etc/file-based.properties,etc/ranger.properties
+```
+
+:::{warning}
+
+Using multiple access control systems can be very complex to configure and
+maintain. In addition, each system and policy within each system is
+evaluated for each query, which can have a considerable, negative performance
+impact.
+
+:::
+
+## Available access control systems
 
 Trino offers the following built-in system access control implementations:
 

diff --git a/docs/src/main/sphinx/security/opa-access-control.md b/docs/src/main/sphinx/security/opa-access-control.md
@@ -23,17 +23,8 @@ access-control.name=opa
 opa.policy.uri=https://opa.example.com/v1/data/trino/allow
 ```
 
-To combine OPA access control with file-based or other access control systems,
-configure multiple access control configuration file paths in
-`etc/config.properties`:
-
-```properties
-access-control.config-files=etc/trino/file-based.properties,etc/trino/opa.properties
-```
-
-Order the configuration files list in the desired order of the different systems
-for overall access control. Configure each access-control system in the
-specified files.
+To combine OPA access control with file-based or other access control
+systems, follow the instructions about [](multiple-access-control).
 
 The following table lists the configuration properties for the OPA access control:
 

diff --git a/docs/src/main/sphinx/security/ranger-access-control.md b/docs/src/main/sphinx/security/ranger-access-control.md
@@ -25,17 +25,7 @@ access-control.name=ranger
 ```
 
 To combine Ranger access control with file-based or other access control
-systems, create the file `etc/access-control.properties` on the coordinator,
-with the following configuration that lists multiple access control
-configuration file paths:
-
-```properties
-access-control.config-files=etc/trino/file-based.properties,etc/trino/ranger.properties
-```
-
-Order the configuration files list in the desired order of the different systems
-for overall access control. Configure each access-control system in the
-specified files.
+systems, follow the instructions about [](multiple-access-control).
 
 The following table lists the configuration properties for the Ranger access control: