From f4df95f93ada7e7fa08dcde103df00e75f846212 Mon Sep 17 00:00:00 2001
From: Sebastian Bernauer <sebastian.bernauer@stackable.de>
Date: Thu, 21 Dec 2023 13:00:21 +0100
Subject: [PATCH] docs:  Add missing OPA rules for Trino batched API

---
 .../usage-guide/opa-bundle-trino-cm-428.yaml  | 10 ++++++
 ...r-authentication-opa-authorization-s3.yaml | 31 +++++++++++++------
 2 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-428.yaml b/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-428.yaml
index df1526e3..a6336d29 100644
--- a/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-428.yaml
+++ b/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-428.yaml
@@ -13,14 +13,24 @@ data:
 
     default allow = false
 
+    # Allow non-batched access
     allow {
       is_admin
     }
+    # Allow batched access
     extended[i] {
       some i
       input.action.filterResources[i]
       is_admin
     }
+    # Corner case: filtering columns is done with a single table item, and many columns inside
+    extended[i] {
+      some i
+      input.action.operation == "FilterColumns"
+      count(input.action.filterResources) == 1
+      input.action.filterResources[0].table.columns[i]
+      is_admin
+    }
 
     is_admin() {
       input.context.identity.user == "admin"
diff --git a/examples/simple-trino-cluster-authentication-opa-authorization-s3.yaml b/examples/simple-trino-cluster-authentication-opa-authorization-s3.yaml
index 04ab76ab..281c3d74 100644
--- a/examples/simple-trino-cluster-authentication-opa-authorization-s3.yaml
+++ b/examples/simple-trino-cluster-authentication-opa-authorization-s3.yaml
@@ -70,24 +70,35 @@ data:
 
     default allow = false
 
+    # Allow non-batched access
     allow {
-        is_admin
+      is_admin
     }
+    # Allow batched access
     extended[i] {
-        some i
-        input.action.filterResources[i]
-        is_admin
+      some i
+      input.action.filterResources[i]
+      is_admin
+    }
+    # Corner case: filtering columns is done with a single table item, and many columns inside
+    extended[i] {
+      some i
+      input.action.operation == "FilterColumns"
+      count(input.action.filterResources) == 1
+      input.action.filterResources[0].table.columns[i]
+      is_admin
     }
 
+    # Special rules for bob
     allow {
-        input.action.operation in ["ExecuteQuery", "AccessCatalog"]
-        is_bob
+      input.action.operation in ["ExecuteQuery", "AccessCatalog"]
+      is_bob
     }
     extended[i] {
-        input.action.operation in ["FilterCatalogs"]
-        some i
-        input.action.filterResources[i]
-        is_bob
+      input.action.operation in ["FilterCatalogs"]
+      some i
+      input.action.filterResources[i]
+      is_bob
     }
 
     is_admin() {