How to allow CREATE/DROP CATALOG with file-based access control?

[rileythomp]

Hi, I'd like to be able to run CREATE/DROP CATALOG statements while having file-based access control configured. This is my setup:
Container: docker run -d --name trino-db -p 8080:8080 -e CATALOG_MANAGEMENT=dynamic -v ./access-control.properties:/etc/trino/access-control.properties-v ./rules.json:/etc/trino/rules.json trinodb/trino:latest

/etc/trino/access-control.properties

access-control.name=file
security.config-file=/etc/trino/rules.json
security.refresh-period=1s

/etc/trino/rules.json

{
  "catalogs": [
    {
      "user": "admin",
      "allow": "all"
    },
    {
      "user": "employee",
      "allow": "read-only"
    }
  ],
  "tables": [
    {
      "user": "admin",
      "privileges": [
        "SELECT",
        "INSERT",
        "DELETE",
        "UPDATE",
        "OWNERSHIP",
        "GRANT_SELECT"
      ]
    },
    {
      "user": "employee",
      "table": "employees",
      "privileges": [
        "SELECT"
      ],
      "filter": "department = 'Engineering'"
    }
  ]
}

I connect with: docker exec -it trino-db trino --user admin

Everything works as expected, but if I try to run a command like CREATE CATALOG "test-data" USING memory or DROP CATALOG "test-data", I get this error: Access Denied: Cannot drop catalog test-data. How can I configure this to allow the CREATE/DROP CATALOG commands?

[rileythomp]

The allow key needs to be set to owner instead of all. Found in #22022. I think https://trino.io/docs/current/security/file-system-access-control.html#catalog-rules could be updated to reflect that.