update documentation and tests

docs/modules/trino/pages/usage-guide/security.adoc

@@ -105,24 +105,10 @@ NOTE: For a production setup you will use something much more granular.
 We provide a detailed set of rego rules in our integration tests.
 Details can be found below in the <<fine-granular-rego-rules, fine-granular rego rule>> section.
 
-NOTE: Due to changes in the Trino OPA authorizer, rego rules differ between version 414 and newer versions.
-
-[tabs]
-====
-414::
-+
-[source,yaml]
-----
-include::example$usage-guide/opa-bundle-trino-cm-414.yaml[]
-----
-
-Newer than 414::
-+
 [source,yaml]
 ----
-include::example$usage-guide/opa-bundle-trino-cm-new.yaml[]
+include::example$usage-guide/opa-bundle-trino-cm.yaml[]
 ----
-====
 
 Reference the package in the Trino cluster:
 

docs/modules/trino/partials/supported-versions.adoc

@@ -2,6 +2,5 @@
 // This is a separate file, since it is used by both the direct Trino documentation, and the overarching
 // Stackable Platform documentation.
 
+- 455
 - 451 (LTS)
-- 442 (deprecated)
-- 414 (deprecated)

examples/simple-trino-cluster-authentication-opa-authorization-s3.yaml

@@ -66,22 +66,22 @@ data:
   trino.rego: |
     package trino
 
-    import future.keywords.in
+    import rego.v1
 
     default allow = false
 
     # Allow non-batched access
-    allow {
+    allow_if {
       is_admin
     }
     # Allow batched access
-    extended[i] {
+    batch contains i if {
       some i
       input.action.filterResources[i]
       is_admin
     }
     # Corner case: filtering columns is done with a single table item, and many columns inside
-    extended[i] {
+    batch contains i if {
       some i
       input.action.operation == "FilterColumns"
       count(input.action.filterResources) == 1
@@ -90,22 +90,22 @@ data:
     }
 
     # Special rules for bob
-    allow {
+    allow if {
       input.action.operation in ["ExecuteQuery", "AccessCatalog"]
       is_bob
     }
-    extended[i] {
+    batch contains i if {
       input.action.operation in ["FilterCatalogs"]
       some i
       input.action.filterResources[i]
       is_bob
     }
 
-    is_admin() {
+    is_admin() if {
       input.context.identity.user == "admin"
     }
 
-    is_bob() {
+    is_bob() if {
       input.context.identity.user == "bob"
     }
 ---

rust/operator-binary/src/authorization/opa.rs

@@ -51,7 +51,7 @@ impl TrinoOpaConfig {
             .full_document_url_from_config_map(
                 client,
                 trino,
-                // Sticking to https://github.com/trinodb/trino/blob/442/plugin/trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControlDataFilteringSystem.java#L44
+                // Sticking to https://github.com/trinodb/trino/blob/455/plugin/trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControlDataFilteringSystem.java#L46
                 Some("rowFilters"),
                 OpaApiVersion::V1,
             )
@@ -60,7 +60,7 @@ impl TrinoOpaConfig {
             .full_document_url_from_config_map(
                 client,
                 trino,
-                // Sticking to https://github.com/trinodb/trino/blob/442/plugin/trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControlDataFilteringSystem.java#L45
+                // Sticking to https://github.com/trinodb/trino/blob/455/plugin/trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControlDataFilteringSystem.java#L47
                 Some("columnMask"),
                 OpaApiVersion::V1,
             )

rust/operator-binary/src/config/jvm.rs

@@ -1,4 +1,4 @@
-// As of 2024-07-05 we support multiple Trino versions. Some using Java 17, some Java 21 and the latest (451) uses Java 22.
+// As of 2024-07-05 we support multiple Trino versions. Some using Java 17, some Java 21 and the latest (455) uses Java 22.
 // This requires a different JVM config
 use indoc::formatdoc;
 use snafu::{OptionExt, ResultExt, Snafu};

rust/operator-binary/src/controller.rs

@@ -1636,7 +1636,7 @@ mod tests {
           name: trino
         spec:
           image:
-            productVersion: "451"
+            productVersion: "455"
           clusterConfig:
             catalogLabelSelector:
               matchLabels:
@@ -1662,7 +1662,7 @@ mod tests {
 
         let validated_config = validated_product_config(
             &trino,
-            "451.0.0",
+            "455.0.0",
             &ProductConfigManager::from_yaml_file("../../deploy/config-spec/properties.yaml")
                 .unwrap(),
         )

tests/templates/kuttl/opa-authorization/trino_rules/requested_permissions_test.rego

@@ -285,7 +285,7 @@ testcontext := {
 		"groups": ["testgroup1", "testgroup2"],
 		"user": "testuser",
 	},
-	"softwareStack": {"trinoVersion": "451"},
+	"softwareStack": {"trinoVersion": "455"},
 }
 
 test_access_filter_catalog if {

tests/templates/kuttl/opa-authorization/trino_rules/verification.rego

@@ -43,7 +43,7 @@ import rego.v1
 #         "groups": ["group1", ...],
 #         "user": "username",
 #       },
-#       "softwareStack": {"trinoVersion": "451"},
+#       "softwareStack": {"trinoVersion": "455"},
 #     }
 #   }
 #
@@ -193,7 +193,7 @@ allow if {
 #         "groups": ["group1", ...],
 #         "user": "username",
 #       },
-#       "softwareStack": {"trinoVersion": "451"},
+#       "softwareStack": {"trinoVersion": "455"},
 #     }
 #   }
 #
@@ -254,7 +254,7 @@ batch contains index if {
 #         "groups": ["group1", ...],
 #         "user": "username",
 #       },
-#       "softwareStack": {"trinoVersion": "451"},
+#       "softwareStack": {"trinoVersion": "455"},
 #     }
 #   }
 #
@@ -319,7 +319,7 @@ columnMask := column_mask if {
 #         "groups": ["group1", ...],
 #         "user": "username",
 #       },
-#       "softwareStack": {"trinoVersion": "451"},
+#       "softwareStack": {"trinoVersion": "455"},
 #     }
 #   }
 #

tests/templates/kuttl/opa-authorization/trino_rules/verification_test.rego

@@ -15,7 +15,7 @@ testcontext := {
 		"groups": ["testgroup1", "testgroup2"],
 		"user": "testuser",
 	},
-	"softwareStack": {"trinoVersion": "451"},
+	"softwareStack": {"trinoVersion": "455"},
 }
 
 test_allow_with_authorization_request if {

tests/templates/kuttl/smoke/09-install-opa.yaml.j2

@@ -22,35 +22,6 @@ metadata:
   labels:
     opa.stackable.tech/bundle: "trino"
 data:
-{% if test_scenario['values']['trino'] in [414] %}
-  trino.rego: |
-    package trino
-
-    import rego.v1
-
-    default allow = false
-
-    allow if {
-      is_admin
-    }
-
-    allow if {
-      is_bob
-      can_be_accessed_by_bob
-    }
-
-    is_admin() if {
-      input.context.identity.user == "admin"
-    }
-
-    is_bob() if {
-      input.context.identity.user == "bob"
-    }
-
-    can_be_accessed_by_bob() if {
-      input.action.operation in ["ImpersonateUser", "FilterCatalogs", "AccessCatalog", "ExecuteQuery"]
-    }
-{% else  %}
   trino.rego: |
     package trino
 
@@ -85,4 +56,3 @@ data:
     is_bob() if {
       input.context.identity.user == "bob"
     }
-{% endif %}