I am using the AWS SDK to execute Amazon Athena queries using Java and what I would like to do is to have some way of ensuring only SELECT queries are executed. This is to make sure queries like DROP or INSERT are not executed. So is there any way I can perform this check using the AWS SDK without having to use any other dependencies?
I am thinking of using an EXPLAIN query in Athena (Presto EXPLAIN query) to identify what kind of query we are executing, but I am not too sure how to read the response of an EXPLAIN query.
Any advice on reading the EXPLAIN query response or any other alternative approaches I could use would be awesome. Thanks
Advertisement
Answer
You control permissions in Athena with IAM policies. Athena uses Glue Data Catalog to store metadata about tables. The IAM actions that govern who is allowed to create and drop tables belong to Glue, because that’s the API being used behind the scenes when you run a query like DROP TABLE foo.
If you create a policy that does not include permissions to create or drop tables and partitions a user using that policy would not be able to run queries that resulted in tables being created or dropped, or partitions being added or removed.
In other words, only permit actions such as glue:GetTable, glue:GetPartitions, and not actions such as glue:DeleteTable and glue:DeletePartiton.
Any query that required such permissions would return an error.