trino-opa-authorizer

Important

This repository has been archived and is not being maintained any more. Development of this authorizer has been moved into the Trino project itself: trinodb/trino#19532

Usage

OPA

Currently expects that Open Policy Agent is listening on http://localhost:8181. Run opa run --log-level debug --server example.rego in the repo folder to test an initial example.

Trino plugin

Assuming that you already have a Trino server set up.

1. Run mvn package

2. Copy (or symlink) target/out to $TRINO_DIR/plugins/trino-opa-authorizer

3. Copy (or symlink) access-control.properties to $TRINO_DIR/etc/access-control.properties

4. Start Trino

Tests

The tests assume that OPA is available on your path as opa, and can then be executed by running mvn test.

Example

The example example.rego allows the admin user to do everything. User bob is limited to run queries and access catalogs.

link:example.rego[role=include]

This can be tested via the Trino CLI for the admin user:

./trino-cli-403-executable.jar --server http://localhost:8080 --user=admin

and for the user bob:

./trino-cli-403-executable.jar --server http://localhost:8080 --user=bob

When logged in as bob you should be able to run:

trino> SHOW CATALOGS;
 Catalog
---------
 system
(1 row)

Query 20220419_161711_00047_bu682, FINISHED, 1 node
Splits: 1 total, 1 done (100.00%)
0.22 [0 rows, 0B] [0 rows/s, 0B/s]

but should get an Access Denied failure when e.g. showing schemas:

trino> SHOW SCHEMAS From system;
Query 20220419_161650_00046_bu682 failed: Access Denied: Cannot show schemas

Building

To build the maven project invoke

mvn clean package

Afterwards you find the produced binaries in /home/sbernauer/stackabletech/trino-opa-authorizer/target/out/, especially out of interest is

-rw-rw-r-- 1 sbernauer sbernauer 33K Sep 15 09:53 /home/sbernauer/stackabletech/trino-opa-authorizer/target/out/trino-opa-authorizer-403-stackable0.1.0.jar

The small size is normal. We have to bundle all the produced jars to put them into a Trino setup. To achieve this run

ln -s target/out/ trino-opa-authorizer

and (you need to replace your version!)

tar -czvf trino-opa-authorizer-403-stackable0.1.0.tar.gz ./trino-opa-authorizer/*

Resulting file size should be in the neighborhood of 80 MB:

$ ls -lah trino-opa-authorizer-*.gz
-rw-rw-r-- 1 sbernauer sbernauer 86M Sep 15 09:58 trino-opa-authorizer-403-stackable0.1.0.tar.gz

Releasing

Releasing here is done by uploading the trino-opa-authorizer-*-stackable0.1.0.tar.gz into Nexus.