diff --git a/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm.yaml b/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-414.yaml similarity index 100% rename from docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm.yaml rename to docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-414.yaml diff --git a/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-428.yaml b/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-428.yaml new file mode 100644 index 00000000..df1526e3 --- /dev/null +++ b/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-428.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: opa-bundle-trino + labels: + opa.stackable.tech/bundle: "true" +data: + trino.rego: | + package trino + + import future.keywords.in + + default allow = false + + allow { + is_admin + } + extended[i] { + some i + input.action.filterResources[i] + is_admin + } + + is_admin() { + input.context.identity.user == "admin" + } diff --git a/docs/modules/trino/pages/usage-guide/security.adoc b/docs/modules/trino/pages/usage-guide/security.adoc index 0b8b2f75..2c410143 100644 --- a/docs/modules/trino/pages/usage-guide/security.adoc +++ b/docs/modules/trino/pages/usage-guide/security.adoc @@ -74,9 +74,20 @@ In the Trino CLI and web interface, LDAP users can now be used to log in. In order to authorize Trino via OPA, a ConfigMap containing a rego rule package for Trino has to be applied and referenced in the TrinoCluster resource. The following example is an all-access Rego rule for testing with the user `admin`. Do not use it in production! +NOTE: Due to changes in the Trino OPA authorizer, rego rules differ from Version 414 and 428. The OPA authorizer will become part of the Trino package once this https://github.com/trinodb/trino/pull/19532[pull request] is merged. The stackable Trino version 428 already uses that new OPA authorizer and utilizes https://github.com/bloomberg/trino/blob/add-open-policy-agent/plugin/trino-opa/README.md#batch-mode[batch mode]. This is under active development and is not stable yet! + +=== Rego for Trino version 414 + +[source,yaml] +---- +include::example$usage-guide/opa-bundle-trino-cm-414.yaml[] +---- + +=== Rego for Trino version 428 + [source,yaml] ---- -include::example$usage-guide/opa-bundle-trino-cm.yaml[] +include::example$usage-guide/opa-bundle-trino-cm-428.yaml[] ---- Reference the package in the Trino cluster: