From 2a4714ccc0f526c3f7c85f94f6fb22ddb442484e Mon Sep 17 00:00:00 2001
From: Nick Larsen <nick.larsen@stackable.tech>
Date: Tue, 4 Nov 2025 14:26:20 +0100
Subject: [PATCH 1/5] Fix stackablectl stacklet list command

---
 modules/tutorials/pages/authentication_with_openldap.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/tutorials/pages/authentication_with_openldap.adoc b/modules/tutorials/pages/authentication_with_openldap.adoc
index d2d1d537b..9a25140d3 100644
--- a/modules/tutorials/pages/authentication_with_openldap.adoc
+++ b/modules/tutorials/pages/authentication_with_openldap.adoc
@@ -42,7 +42,7 @@ to learn more.
 Before starting to add configuration to your Stackable cluster, inspect what the command above has set up in your
 Kubernetes cluster.
 
-Use `stackablectl stacklets list` to find the endpoints of Superset and Trino and open their web interfaces in the
+Use `stackablectl stacklet list` to find the endpoints of Superset and Trino and open their web interfaces in the
 browser.
 
 You can log into Superset with user _admin_ and password _adminadmin_, and into Trino with user _admin_ and password

From 0355a85d55c16199d31afe852bdf4677fb1be50c Mon Sep 17 00:00:00 2001
From: Nick Larsen <nick.larsen@stackable.tech>
Date: Tue, 4 Nov 2025 14:30:55 +0100
Subject: [PATCH 2/5] Simplify instruction

---
 modules/tutorials/pages/authentication_with_openldap.adoc | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/tutorials/pages/authentication_with_openldap.adoc b/modules/tutorials/pages/authentication_with_openldap.adoc
index 9a25140d3..fdd92f1b3 100644
--- a/modules/tutorials/pages/authentication_with_openldap.adoc
+++ b/modules/tutorials/pages/authentication_with_openldap.adoc
@@ -45,8 +45,7 @@ Kubernetes cluster.
 Use `stackablectl stacklet list` to find the endpoints of Superset and Trino and open their web interfaces in the
 browser.
 
-You can log into Superset with user _admin_ and password _adminadmin_, and into Trino with user _admin_ and password
-_adminadmin_.
+You can log into both Superset and Trino with user `admin` and password `adminadmin`.
 
 These are the current users defined in Superset's and Trino's internal user management. Later you will see that these users cannot be used for authentication anymore after LDAP authentication has been enabled.
 

From b8dcdc6b1721eae652138259b1be7404387a8f6d Mon Sep 17 00:00:00 2001
From: Nick Larsen <nick.larsen@stackable.tech>
Date: Tue, 4 Nov 2025 14:33:43 +0100
Subject: [PATCH 3/5] Simplify instruction

---
 modules/tutorials/pages/authentication_with_openldap.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/tutorials/pages/authentication_with_openldap.adoc b/modules/tutorials/pages/authentication_with_openldap.adoc
index fdd92f1b3..48ef8e064 100644
--- a/modules/tutorials/pages/authentication_with_openldap.adoc
+++ b/modules/tutorials/pages/authentication_with_openldap.adoc
@@ -47,7 +47,7 @@ browser.
 
 You can log into both Superset and Trino with user `admin` and password `adminadmin`.
 
-These are the current users defined in Superset's and Trino's internal user management. Later you will see that these users cannot be used for authentication anymore after LDAP authentication has been enabled.
+These _admin_ users are defined in Superset's and Trino's internal user management. Later you will see that these users cannot be used for authentication anymore after LDAP authentication has been enabled.
 
 === OpenLDAP Stack
 

From e389dff3e11ff85dc6021b6992eb43a3418ecce0 Mon Sep 17 00:00:00 2001
From: Nick Larsen <nick.larsen@stackable.tech>
Date: Tue, 4 Nov 2025 14:50:31 +0100
Subject: [PATCH 4/5] Update instructions

---
 modules/tutorials/pages/authentication_with_openldap.adoc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/tutorials/pages/authentication_with_openldap.adoc b/modules/tutorials/pages/authentication_with_openldap.adoc
index 48ef8e064..80a1e9872 100644
--- a/modules/tutorials/pages/authentication_with_openldap.adoc
+++ b/modules/tutorials/pages/authentication_with_openldap.adoc
@@ -210,7 +210,10 @@ Now deploy the updated superset cluster:
 [source,bash]
 include::example$ldap-auth/40-modify-superset.sh[tag=apply-superset-cluster]
 
-Connect to superset as before, and try logging in again with username _admin_ and password _adminadmin_, Superset will not accept these credentials anymore. You now have to use LDAP credentials to log in. The OpenLDAP you installed earlier comes with two users, _alice_ (password _alice_) and _bob_ (password _bob_). Log in with any of these users and Superset will accept.
+Connect to superset as before (logout if you still had a valid session from earlier), and try logging in again with username _admin_ and password _adminadmin_, Superset will not accept these credentials anymore.
+You now have to use LDAP credentials to log in.
+The OpenLDAP you installed earlier comes with two users, _alice_ (password _alice_) and _bob_ (password _bob_).
+Log in with any of these users and Superset will accept.
 
 [#trino]
 === Add LDAP configuration to Trino

From cbd4031019d6c7bc7842ab989fe7d15ecc94332f Mon Sep 17 00:00:00 2001
From: Nick Larsen <nick.larsen@stackable.tech>
Date: Tue, 4 Nov 2025 21:27:20 +0100
Subject: [PATCH 5/5] Update rego rule syntax

---
 .../ldap-auth/trino-opa-bundle-snippet.yaml     | 17 ++++++++++++-----
 .../pages/authentication_with_openldap.adoc     |  2 +-
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/modules/tutorials/examples/ldap-auth/trino-opa-bundle-snippet.yaml b/modules/tutorials/examples/ldap-auth/trino-opa-bundle-snippet.yaml
index e56ca8f31..776c53d6c 100644
--- a/modules/tutorials/examples/ldap-auth/trino-opa-bundle-snippet.yaml
+++ b/modules/tutorials/examples/ldap-auth/trino-opa-bundle-snippet.yaml
@@ -2,19 +2,26 @@ data:
   trino.rego: |
     package trino
 
-    import future.keywords.in
-
     default allow = false
 
-    allow {
+    allow if {
       is_alice
     }
-    extended[i] {
+
+    batch contains i if {
       some i
       input.action.filterResources[i]
       is_alice
     }
 
-    is_alice() {
+    batch contains i if {
+      some i
+      input.action.operation == "FilterColumns"
+      count(input.action.filterResources) == 1
+      input.action.filterResources[0].table.columns[i]
+      is_alice
+    }
+
+    is_alice() if {
       input.context.identity.user == "alice"
     }
diff --git a/modules/tutorials/pages/authentication_with_openldap.adoc b/modules/tutorials/pages/authentication_with_openldap.adoc
index 80a1e9872..60a6ec188 100644
--- a/modules/tutorials/pages/authentication_with_openldap.adoc
+++ b/modules/tutorials/pages/authentication_with_openldap.adoc
@@ -317,7 +317,7 @@ Fetch the snippet as before:
 [source,bash]
 include::example$ldap-auth/70-modify-trino-opa-bundle.sh[tag=get-yaml]
 
-Apply this patch:
+Update the ConfigMap to look like the below:
 
 [source,yaml]
 ----