Skip to content
This repository has been archived by the owner on Jan 31, 2024. It is now read-only.

stackabletech/trino-opa-authorizer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
.github/workflows
.github/workflows
 
 
src
src
 
 
.dir-locals.el
.dir-locals.el
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.adoc
README.adoc
 
 
access-control.properties
access-control.properties
 
 
example.rego
example.rego
 
 
pom.xml
pom.xml
 
 

Repository files navigation

trino-opa-authorizer

Important
 This repository has been archived and is not being maintained any more. Development of this authorizer has been moved into the Trino project itself: trinodb/trino#19532

Usage

OPA

Currently expects that Open Policy Agent is listening on http://localhost:8181. Run opa run --log-level debug --server example.rego in the repo folder to test an initial example.

Trino plugin

Assuming that you already have a Trino server set up.

  1. Run mvn package

  2. Copy (or symlink) target/out to $TRINO_DIR/plugins/trino-opa-authorizer

  3. Copy (or symlink) access-control.properties to $TRINO_DIR/etc/access-control.properties

  4. Start Trino

Tests

The tests assume that OPA is available on your path as opa, and can then be executed by running mvn test.

Example

The example example.rego allows the admin user to do everything. User bob is limited to run queries and access catalogs.

link:example.rego[role=include]

This can be tested via the Trino CLI for the admin user:

./trino-cli-403-executable.jar --server http://localhost:8080 --user=admin

and for the user bob:

./trino-cli-403-executable.jar --server http://localhost:8080 --user=bob

When logged in as bob you should be able to run:

trino> SHOW CATALOGS;
 Catalog
---------
 system
(1 row)

Query 20220419_161711_00047_bu682, FINISHED, 1 node
Splits: 1 total, 1 done (100.00%)
0.22 [0 rows, 0B] [0 rows/s, 0B/s]

but should get an Access Denied failure when e.g. showing schemas:

trino> SHOW SCHEMAS From system;
Query 20220419_161650_00046_bu682 failed: Access Denied: Cannot show schemas

Building

To build the maven project invoke

mvn clean package

Afterwards you find the produced binaries in /home/sbernauer/stackabletech/trino-opa-authorizer/target/out/, especially out of interest is

-rw-rw-r-- 1 sbernauer sbernauer 33K Sep 15 09:53 /home/sbernauer/stackabletech/trino-opa-authorizer/target/out/trino-opa-authorizer-403-stackable0.1.0.jar

The small size is normal. We have to bundle all the produced jars to put them into a Trino setup. To achieve this run

ln -s target/out/ trino-opa-authorizer

and (you need to replace your version!)

tar -czvf trino-opa-authorizer-403-stackable0.1.0.tar.gz ./trino-opa-authorizer/*

Resulting file size should be in the neighborhood of 80 MB:

$ ls -lah trino-opa-authorizer-*.gz
-rw-rw-r-- 1 sbernauer sbernauer 86M Sep 15 09:58 trino-opa-authorizer-403-stackable0.1.0.tar.gz

Releasing

Releasing here is done by uploading the trino-opa-authorizer-*-stackable0.1.0.tar.gz into Nexus.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

13 stars

Watchers

7 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 7

Languages