From d922089888c76c74ab3b212e0a5b107605ca6715 Mon Sep 17 00:00:00 2001
From: Malte Sander <malte.sander.it@gmail.com>
Date: Thu, 2 Nov 2023 11:34:55 +0100
Subject: [PATCH] Document different regorules for v414 and v428 due to
 authorizer changes

---
 ...o-cm.yaml => opa-bundle-trino-cm-414.yaml} |  0
 .../usage-guide/opa-bundle-trino-cm-428.yaml  | 27 +++++++++++++++++++
 .../trino/pages/usage-guide/security.adoc     | 13 ++++++++-
 3 files changed, 39 insertions(+), 1 deletion(-)
 rename docs/modules/trino/examples/usage-guide/{opa-bundle-trino-cm.yaml => opa-bundle-trino-cm-414.yaml} (100%)
 create mode 100644 docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-428.yaml

diff --git a/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm.yaml b/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-414.yaml
similarity index 100%
rename from docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm.yaml
rename to docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-414.yaml
diff --git a/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-428.yaml b/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-428.yaml
new file mode 100644
index 00000000..df1526e3
--- /dev/null
+++ b/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-428.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: opa-bundle-trino
+  labels:
+    opa.stackable.tech/bundle: "true"
+data:
+  trino.rego: |
+    package trino
+
+    import future.keywords.in
+
+    default allow = false
+
+    allow {
+      is_admin
+    }
+    extended[i] {
+      some i
+      input.action.filterResources[i]
+      is_admin
+    }
+
+    is_admin() {
+      input.context.identity.user == "admin"
+    }
diff --git a/docs/modules/trino/pages/usage-guide/security.adoc b/docs/modules/trino/pages/usage-guide/security.adoc
index 0b8b2f75..2c410143 100644
--- a/docs/modules/trino/pages/usage-guide/security.adoc
+++ b/docs/modules/trino/pages/usage-guide/security.adoc
@@ -74,9 +74,20 @@ In the Trino CLI and web interface, LDAP users can now be used to log in.
 In order to authorize Trino via OPA, a ConfigMap containing a rego rule package for Trino has to be applied and referenced in the TrinoCluster resource.
 The following example is an all-access Rego rule for testing with the user `admin`. Do not use it in production!
 
+NOTE: Due to changes in the Trino OPA authorizer, rego rules differ from Version 414 and 428. The OPA authorizer will become part of the Trino package once this https://github.com/trinodb/trino/pull/19532[pull request] is merged. The stackable Trino version 428 already uses that new OPA authorizer and utilizes https://github.com/bloomberg/trino/blob/add-open-policy-agent/plugin/trino-opa/README.md#batch-mode[batch mode]. This is under active development and is not stable yet!
+
+=== Rego for Trino version 414
+
+[source,yaml]
+----
+include::example$usage-guide/opa-bundle-trino-cm-414.yaml[]
+----
+
+=== Rego for Trino version 428
+
 [source,yaml]
 ----
-include::example$usage-guide/opa-bundle-trino-cm.yaml[]
+include::example$usage-guide/opa-bundle-trino-cm-428.yaml[]
 ----
 
 Reference the package in the Trino cluster: