Pluggable Secret Management Logic in Presto

[skairali]

Another requirement which is really important for us to use Presto in production grade scenarios especially under the light of all audit and compliance requirements

Currently when you have a connector all the creds are stored in the usual way and its not protected

We need a a way to load secrets to presto

a) During startup b) On failure if connector needs ( especially if the secret is rotated etc) c) May be when we get events from secret management systems

Example for secret management system may be.

a) https://aws.amazon.com/secrets-manager/ b) https://www.ibm.com/cloud/secrets-manager

This could be a new plugin type and probably when the catalogues are loaded - corresponding secrets could also be loaded

Roughly interface could look like below for the new plugin

package com.facebook.presto.spi.security;

import java.util.Map;

public interface SecretsManager
{
    Map<String, String> fetchSecrets();
}

But before going this route I would like to get help from community on seeing any existing way of solving this problem

Else I would request kindly to consider this requirement

[rschlussel]

I don't think we have any existing solution for this, and would be happy for a contribution to add this ability.

[skairali]

@rschlussel Sure

[soham-dasgupta]

Is there any traction on this? This seems to be a blocker to launch Presto in a Big Tech organization that has regulatory audits and compliance.