diff --git a/CHANGELOG.md b/CHANGELOG.md index d44dda94..16939c87 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Added + +- Added support for Trino 455 ([#638]). + ### Changed - Reduce CRD size from `984KB` to `131KB` by accepting arbitrary YAML input instead of the underlying schema for the following fields ([#631]): @@ -15,9 +19,14 @@ All notable changes to this project will be documented in this file. - Don't ignore envOverrides ([#633]). - Don't print credentials to STDOUT during startup. Ideally we should use [config-utils](https://github.com/stackabletech/config-utils), but that's not easy (see [here](https://github.com/stackabletech/trino-operator/tree/fix/secret-printing)) ([#634]). +### Removed + +- Removed support for Trino 414 and 442 ([#638]). + [#631]: https://github.com/stackabletech/trino-operator/pull/631 [#633]: https://github.com/stackabletech/trino-operator/pull/633 [#634]: https://github.com/stackabletech/trino-operator/pull/634 +[#638]: https://github.com/stackabletech/trino-operator/pull/638 ## [24.7.0] - 2024-07-24 diff --git a/docs/modules/trino/examples/getting_started/code/trino.yaml b/docs/modules/trino/examples/getting_started/code/trino.yaml index e58a6c12..cb7eda66 100644 --- a/docs/modules/trino/examples/getting_started/code/trino.yaml +++ b/docs/modules/trino/examples/getting_started/code/trino.yaml @@ -5,7 +5,7 @@ metadata: name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: matchLabels: diff --git a/docs/modules/trino/examples/getting_started/code/trino.yaml.j2 b/docs/modules/trino/examples/getting_started/code/trino.yaml.j2 index e58a6c12..cb7eda66 100644 --- a/docs/modules/trino/examples/getting_started/code/trino.yaml.j2 +++ b/docs/modules/trino/examples/getting_started/code/trino.yaml.j2 @@ -5,7 +5,7 @@ metadata: name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: matchLabels: diff --git a/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-414.yaml b/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-414.yaml deleted file mode 100644 index 51fa6f4d..00000000 --- a/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-414.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: opa-bundle-trino - labels: - opa.stackable.tech/bundle: "true" -data: - trino.rego: | - package trino - - import rego.v1 - - default allow = false - - allow if { - is_admin - } - - is_admin() if { - input.context.identity.user == "admin" - } diff --git a/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-new.yaml b/docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm.yaml similarity index 100% rename from docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-new.yaml rename to docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm.yaml diff --git a/docs/modules/trino/examples/usage-guide/trino-insecure.yaml b/docs/modules/trino/examples/usage-guide/trino-insecure.yaml index 7f87ae00..d6e79ab9 100644 --- a/docs/modules/trino/examples/usage-guide/trino-insecure.yaml +++ b/docs/modules/trino/examples/usage-guide/trino-insecure.yaml @@ -17,7 +17,7 @@ metadata: name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: matchLabels: diff --git a/docs/modules/trino/examples/usage-guide/trino-secure-internal-tls.yaml b/docs/modules/trino/examples/usage-guide/trino-secure-internal-tls.yaml index d00435a5..9ba7e35c 100644 --- a/docs/modules/trino/examples/usage-guide/trino-secure-internal-tls.yaml +++ b/docs/modules/trino/examples/usage-guide/trino-secure-internal-tls.yaml @@ -17,7 +17,7 @@ metadata: name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: tls: internalSecretClass: trino-internal-tls # <1> diff --git a/docs/modules/trino/examples/usage-guide/trino-secure-tls-only.yaml b/docs/modules/trino/examples/usage-guide/trino-secure-tls-only.yaml index 686ba672..92f587f9 100644 --- a/docs/modules/trino/examples/usage-guide/trino-secure-tls-only.yaml +++ b/docs/modules/trino/examples/usage-guide/trino-secure-tls-only.yaml @@ -17,7 +17,7 @@ metadata: name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: tls: serverSecretClass: trino-tls # <1> diff --git a/docs/modules/trino/examples/usage-guide/trino-secure-tls.yaml b/docs/modules/trino/examples/usage-guide/trino-secure-tls.yaml index 1cecf6c6..a10f857d 100644 --- a/docs/modules/trino/examples/usage-guide/trino-secure-tls.yaml +++ b/docs/modules/trino/examples/usage-guide/trino-secure-tls.yaml @@ -17,7 +17,7 @@ metadata: name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: tls: serverSecretClass: trino-tls # <1> diff --git a/docs/modules/trino/pages/usage-guide/catalogs/index.adoc b/docs/modules/trino/pages/usage-guide/catalogs/index.adoc index 53f50efa..bccb839b 100644 --- a/docs/modules/trino/pages/usage-guide/catalogs/index.adoc +++ b/docs/modules/trino/pages/usage-guide/catalogs/index.adoc @@ -72,7 +72,7 @@ metadata: name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: matchLabels: diff --git a/docs/modules/trino/pages/usage-guide/security.adoc b/docs/modules/trino/pages/usage-guide/security.adoc index 2ff86076..58335ec3 100644 --- a/docs/modules/trino/pages/usage-guide/security.adoc +++ b/docs/modules/trino/pages/usage-guide/security.adoc @@ -105,24 +105,10 @@ NOTE: For a production setup you will use something much more granular. We provide a detailed set of rego rules in our integration tests. Details can be found below in the <> section. -NOTE: Due to changes in the Trino OPA authorizer, rego rules differ between version 414 and newer versions. - -[tabs] -==== -414:: -+ -[source,yaml] ----- -include::example$usage-guide/opa-bundle-trino-cm-414.yaml[] ----- - -Newer than 414:: -+ [source,yaml] ---- -include::example$usage-guide/opa-bundle-trino-cm-new.yaml[] +include::example$usage-guide/opa-bundle-trino-cm.yaml[] ---- -==== Reference the package in the Trino cluster: diff --git a/docs/modules/trino/partials/supported-versions.adoc b/docs/modules/trino/partials/supported-versions.adoc index 211605c7..623a477a 100644 --- a/docs/modules/trino/partials/supported-versions.adoc +++ b/docs/modules/trino/partials/supported-versions.adoc @@ -2,6 +2,5 @@ // This is a separate file, since it is used by both the direct Trino documentation, and the overarching // Stackable Platform documentation. +- 455 - 451 (LTS) -- 442 (deprecated) -- 414 (deprecated) diff --git a/examples/simple-trino-cluster-authentication-opa-authorization-s3.yaml b/examples/simple-trino-cluster-authentication-opa-authorization-s3.yaml index c2e4340e..a741763e 100644 --- a/examples/simple-trino-cluster-authentication-opa-authorization-s3.yaml +++ b/examples/simple-trino-cluster-authentication-opa-authorization-s3.yaml @@ -5,7 +5,7 @@ metadata: name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: authentication: - authenticationClass: simple-trino-users @@ -66,22 +66,22 @@ data: trino.rego: | package trino - import future.keywords.in + import rego.v1 default allow = false # Allow non-batched access - allow { + allow_if { is_admin } # Allow batched access - extended[i] { + batch contains i if { some i input.action.filterResources[i] is_admin } # Corner case: filtering columns is done with a single table item, and many columns inside - extended[i] { + batch contains i if { some i input.action.operation == "FilterColumns" count(input.action.filterResources) == 1 @@ -90,22 +90,22 @@ data: } # Special rules for bob - allow { + allow if { input.action.operation in ["ExecuteQuery", "AccessCatalog"] is_bob } - extended[i] { + batch contains i if { input.action.operation in ["FilterCatalogs"] some i input.action.filterResources[i] is_bob } - is_admin() { + is_admin() if { input.context.identity.user == "admin" } - is_bob() { + is_bob() if { input.context.identity.user == "bob" } --- diff --git a/examples/simple-trino-cluster-hive-ha-s3.yaml b/examples/simple-trino-cluster-hive-ha-s3.yaml index 61b24544..91cc96ed 100644 --- a/examples/simple-trino-cluster-hive-ha-s3.yaml +++ b/examples/simple-trino-cluster-hive-ha-s3.yaml @@ -9,7 +9,7 @@ metadata: name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: matchLabels: diff --git a/examples/simple-trino-cluster-resource-limits.yaml b/examples/simple-trino-cluster-resource-limits.yaml index e8c6148a..e13ba843 100644 --- a/examples/simple-trino-cluster-resource-limits.yaml +++ b/examples/simple-trino-cluster-resource-limits.yaml @@ -5,7 +5,7 @@ metadata: name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: {} coordinators: diff --git a/examples/simple-trino-cluster-s3.yaml b/examples/simple-trino-cluster-s3.yaml index a7f914ef..cecfd4cb 100644 --- a/examples/simple-trino-cluster-s3.yaml +++ b/examples/simple-trino-cluster-s3.yaml @@ -7,7 +7,7 @@ metadata: name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: matchLabels: diff --git a/examples/simple-trino-cluster.yaml b/examples/simple-trino-cluster.yaml index 7efcbd32..a5bc5b30 100644 --- a/examples/simple-trino-cluster.yaml +++ b/examples/simple-trino-cluster.yaml @@ -5,7 +5,7 @@ metadata: name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: matchLabels: diff --git a/examples/simple-trino-oauth2.yaml b/examples/simple-trino-oauth2.yaml index 75ad9c59..adc9a3bd 100644 --- a/examples/simple-trino-oauth2.yaml +++ b/examples/simple-trino-oauth2.yaml @@ -91,7 +91,7 @@ metadata: name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: authentication: - authenticationClass: simple-trino-oidc diff --git a/rust/crd/src/affinity.rs b/rust/crd/src/affinity.rs index acb1e9a8..48a50fda 100644 --- a/rust/crd/src/affinity.rs +++ b/rust/crd/src/affinity.rs @@ -112,7 +112,7 @@ mod tests { name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: matchLabels: @@ -199,7 +199,7 @@ mod tests { name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: matchLabels: diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index 428cb438..fad28066 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -875,7 +875,7 @@ mod tests { name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: {} "#; @@ -890,7 +890,7 @@ mod tests { name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: {} tls: @@ -907,7 +907,7 @@ mod tests { name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: {} tls: @@ -925,7 +925,7 @@ mod tests { name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: {} tls: @@ -945,7 +945,7 @@ mod tests { name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: {} "#; @@ -960,7 +960,7 @@ mod tests { name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: {} tls: @@ -977,7 +977,7 @@ mod tests { name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: {} tls: @@ -998,7 +998,7 @@ mod tests { name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: {} "#; @@ -1018,7 +1018,7 @@ mod tests { name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: {} workers: @@ -1044,7 +1044,7 @@ mod tests { name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: {} workers: diff --git a/rust/operator-binary/src/authorization/opa.rs b/rust/operator-binary/src/authorization/opa.rs index af592356..39a23a29 100644 --- a/rust/operator-binary/src/authorization/opa.rs +++ b/rust/operator-binary/src/authorization/opa.rs @@ -2,24 +2,18 @@ use std::collections::BTreeMap; use stackable_operator::{ client::Client, - commons::{ - opa::{OpaApiVersion, OpaConfig}, - product_image_selection::ResolvedProductImage, - }, + commons::opa::{OpaApiVersion, OpaConfig}, }; use stackable_trino_crd::TrinoCluster; -const PRODUCT_VERSIONS_WITH_OLD_AUTHORIZER: [&str; 1] = ["414"]; - pub struct TrinoOpaConfig { - opa_authorizer_name: String, /// URI for OPA policies, e.g. /// `http://localhost:8081/v1/data/trino/allow` non_batched_connection_string: String, /// URI for Batch OPA policies, e.g. /// `http://localhost:8081/v1/data/trino/batch` - if not set, a /// single request will be sent for each entry on filtering methods - batched_connection_string: Option, + batched_connection_string: String, /// URI for fetching row filters, e.g. /// `http://localhost:8081/v1/data/trino/rowFilters` - if not set, /// no row filtering will be applied @@ -39,86 +33,59 @@ impl TrinoOpaConfig { pub async fn from_opa_config( client: &Client, trino: &TrinoCluster, - resolved_product_image: &ResolvedProductImage, opa_config: &OpaConfig, ) -> Result { - if PRODUCT_VERSIONS_WITH_OLD_AUTHORIZER - .contains(&resolved_product_image.product_version.as_str()) - { - // TODO: Can be removed after 23.11 has been released, - // as support for these versions will be marked deprecated in 23.7. - // Please also change `TrinoOpaConfig::batched_connection_string` to `String` - // and remove `TrinoOpaConfig::opa_authorizer_name`! - let non_batched_connection_string = opa_config - .full_document_url_from_config_map(client, trino, Some("allow"), OpaApiVersion::V1) - .await?; - Ok(TrinoOpaConfig { - opa_authorizer_name: "tech.stackable.trino.opa.OpaAuthorizer".to_string(), - non_batched_connection_string, - batched_connection_string: None, - row_filters_connection_string: None, - column_masking_connection_string: None, - allow_permission_management_operations: false, - }) - } else { - let non_batched_connection_string = opa_config - .full_document_url_from_config_map(client, trino, Some("allow"), OpaApiVersion::V1) - .await?; - let batched_connection_string = opa_config - .full_document_url_from_config_map( - client, - trino, - // Sticking to example https://trino.io/docs/current/security/opa-access-control.html - Some("batch"), - OpaApiVersion::V1, - ) - .await?; - let row_filters_connection_string = opa_config - .full_document_url_from_config_map( - client, - trino, - // Sticking to https://github.com/trinodb/trino/blob/442/plugin/trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControlDataFilteringSystem.java#L44 - Some("rowFilters"), - OpaApiVersion::V1, - ) - .await?; - let column_masking_connection_string = opa_config - .full_document_url_from_config_map( - client, - trino, - // Sticking to https://github.com/trinodb/trino/blob/442/plugin/trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControlDataFilteringSystem.java#L45 - Some("columnMask"), - OpaApiVersion::V1, - ) - .await?; - Ok(TrinoOpaConfig { - opa_authorizer_name: "opa".to_string(), - non_batched_connection_string, - batched_connection_string: Some(batched_connection_string), - row_filters_connection_string: Some(row_filters_connection_string), - column_masking_connection_string: Some(column_masking_connection_string), - allow_permission_management_operations: true, - }) - } + let non_batched_connection_string = opa_config + .full_document_url_from_config_map(client, trino, Some("allow"), OpaApiVersion::V1) + .await?; + let batched_connection_string = opa_config + .full_document_url_from_config_map( + client, + trino, + // Sticking to example https://trino.io/docs/current/security/opa-access-control.html + Some("batch"), + OpaApiVersion::V1, + ) + .await?; + let row_filters_connection_string = opa_config + .full_document_url_from_config_map( + client, + trino, + // Sticking to https://github.com/trinodb/trino/blob/455/plugin/trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControlDataFilteringSystem.java#L46 + Some("rowFilters"), + OpaApiVersion::V1, + ) + .await?; + let column_masking_connection_string = opa_config + .full_document_url_from_config_map( + client, + trino, + // Sticking to https://github.com/trinodb/trino/blob/455/plugin/trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControlDataFilteringSystem.java#L47 + Some("columnMask"), + OpaApiVersion::V1, + ) + .await?; + Ok(TrinoOpaConfig { + non_batched_connection_string, + batched_connection_string, + row_filters_connection_string: Some(row_filters_connection_string), + column_masking_connection_string: Some(column_masking_connection_string), + allow_permission_management_operations: true, + }) } pub fn as_config(&self) -> BTreeMap> { let mut config = BTreeMap::from([ - ( - "access-control.name".to_string(), - Some(self.opa_authorizer_name.to_string()), - ), + ("access-control.name".to_string(), Some("opa".to_string())), ( "opa.policy.uri".to_string(), Some(self.non_batched_connection_string.clone()), ), - ]); - if let Some(batched_connection_string) = &self.batched_connection_string { - config.insert( + ( "opa.policy.batched-uri".to_string(), - Some(batched_connection_string.clone()), - ); - } + Some(self.batched_connection_string.clone()), + ), + ]); if let Some(row_filters_connection_string) = &self.row_filters_connection_string { config.insert( "opa.policy.row-filters-uri".to_string(), diff --git a/rust/operator-binary/src/config/jvm.rs b/rust/operator-binary/src/config/jvm.rs index 5e3bcb55..427e0cea 100644 --- a/rust/operator-binary/src/config/jvm.rs +++ b/rust/operator-binary/src/config/jvm.rs @@ -1,4 +1,4 @@ -// As of 2024-07-05 we support multiple Trino versions. Some using Java 17, some Java 21 and the latest (451) uses Java 22. +// As of 2024-07-05 we support multiple Trino versions. Some using Java 17, some Java 21 and the latest (455) uses Java 22. // This requires a different JVM config use indoc::formatdoc; use snafu::{OptionExt, ResultExt, Snafu}; @@ -32,7 +32,7 @@ pub enum Error { TrinoVersionNotSupported { version: String }, } -// Currently works for all supported versions (414, 442, 451 as of 2024-07-05) but maybe be changed +// Currently works for all supported versions (451 and 455 as of 2024-09-04) but maybe be changed // in the future depending on the role and version. pub fn jvm_config( resolved_product_image: &ResolvedProductImage, @@ -61,37 +61,8 @@ pub fn jvm_config( )?; match resolved_product_image.product_version.as_str() { - // Copied from https://trino.io/docs/414/installation/deployment.html - "414" => Ok(formatdoc!( - "-server - -Xms{heap} - -Xmx{heap} - - -XX:InitialRAMPercentage=80 - -XX:MaxRAMPercentage=80 - -XX:G1HeapRegionSize=32M - -XX:+ExplicitGCInvokesConcurrent - -XX:+ExitOnOutOfMemoryError - -XX:+HeapDumpOnOutOfMemoryError - -XX:-OmitStackTraceInFastThrow - -XX:ReservedCodeCacheSize=512M - -XX:PerMethodRecompilationCutoff=10000 - -XX:PerBytecodeRecompilationCutoff=10000 - -Djdk.attach.allowAttachSelf=true - -Djdk.nio.maxCachedBufferSize=2000000 - -XX:+UnlockDiagnosticVMOptions - -XX:+UseAESCTRIntrinsics - # Disable Preventive GC for performance reasons (JDK-8293861) - -XX:-G1UsePreventiveGC - - -Djavax.net.ssl.trustStore={STACKABLE_CLIENT_TLS_DIR}/truststore.p12 - -Djavax.net.ssl.trustStorePassword={STACKABLE_TLS_STORE_PASSWORD} - -Djavax.net.ssl.trustStoreType=pkcs12 - -Djava.security.properties={RW_CONFIG_DIR_NAME}/{JVM_SECURITY_PROPERTIES} - ", - )), - // Copied from https://trino.io/docs/442/installation/deployment.html - "442" => Ok(formatdoc!( + // Copied from https://trino.io/docs/451/installation/deployment.html + "451" => Ok(formatdoc!( "-server -Xms{heap} -Xmx{heap} @@ -109,11 +80,11 @@ pub fn jvm_config( -Djdk.attach.allowAttachSelf=true -Djdk.nio.maxCachedBufferSize=2000000 -Dfile.encoding=UTF-8 - # Reduce starvation of threads by GClocker, recommend to set about the number of cpu cores (JDK-8192647) - -XX:+UnlockDiagnosticVMOptions - -XX:GCLockerRetryAllocationCount=32 # Allow loading dynamic agent used by JOL -XX:+EnableDynamicAgentLoading + # https://bugs.openjdk.org/browse/JDK-8329528 + -XX:+UnlockDiagnosticVMOptions + -XX:G1NumCollectionsKeepPinned=10000000 -Djavax.net.ssl.trustStore={STACKABLE_CLIENT_TLS_DIR}/truststore.p12 -Djavax.net.ssl.trustStorePassword={STACKABLE_TLS_STORE_PASSWORD} @@ -121,8 +92,8 @@ pub fn jvm_config( -Djava.security.properties={RW_CONFIG_DIR_NAME}/{JVM_SECURITY_PROPERTIES} ", )), - // Copied from https://trino.io/docs/451/installation/deployment.html - "451" => Ok(formatdoc!( + // Copied from https://trino.io/docs/455/installation/deployment.html#jvm-config + "455" => Ok(formatdoc!( "-server -Xms{heap} -Xmx{heap} @@ -142,9 +113,6 @@ pub fn jvm_config( -Dfile.encoding=UTF-8 # Allow loading dynamic agent used by JOL -XX:+EnableDynamicAgentLoading - # https://bugs.openjdk.org/browse/JDK-8329528 - -XX:+UnlockDiagnosticVMOptions - -XX:G1NumCollectionsKeepPinned=10000000 -Djavax.net.ssl.trustStore={STACKABLE_CLIENT_TLS_DIR}/truststore.p12 -Djavax.net.ssl.trustStorePassword={STACKABLE_TLS_STORE_PASSWORD} @@ -152,6 +120,9 @@ pub fn jvm_config( -Djava.security.properties={RW_CONFIG_DIR_NAME}/{JVM_SECURITY_PROPERTIES} ", )), - _ => TrinoVersionNotSupportedSnafu{ version: resolved_product_image.product_version.clone() }.fail(), + _ => TrinoVersionNotSupportedSnafu { + version: resolved_product_image.product_version.clone(), + } + .fail(), } } diff --git a/rust/operator-binary/src/controller.rs b/rust/operator-binary/src/controller.rs index 6438d734..6d96f26a 100644 --- a/rust/operator-binary/src/controller.rs +++ b/rust/operator-binary/src/controller.rs @@ -417,7 +417,7 @@ pub async fn reconcile_trino(trino: Arc, ctx: Arc) -> Result< let trino_opa_config = match trino.get_opa_config() { Some(opa_config) => Some( - TrinoOpaConfig::from_opa_config(client, &trino, &resolved_product_image, opa_config) + TrinoOpaConfig::from_opa_config(client, &trino, opa_config) .await .context(InvalidOpaConfigSnafu)?, ), @@ -1498,7 +1498,7 @@ mod tests { name: simple-trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: matchLabels: @@ -1636,7 +1636,7 @@ mod tests { name: trino spec: image: - productVersion: "451" + productVersion: "455" clusterConfig: catalogLabelSelector: matchLabels: @@ -1662,7 +1662,7 @@ mod tests { let validated_config = validated_product_config( &trino, - "451.0.0", + "455.0.0", &ProductConfigManager::from_yaml_file("../../deploy/config-spec/properties.yaml") .unwrap(), ) diff --git a/tests/templates/kuttl/opa-authorization/trino_rules/requested_permissions_test.rego b/tests/templates/kuttl/opa-authorization/trino_rules/requested_permissions_test.rego index e62c89a0..4b4039f5 100644 --- a/tests/templates/kuttl/opa-authorization/trino_rules/requested_permissions_test.rego +++ b/tests/templates/kuttl/opa-authorization/trino_rules/requested_permissions_test.rego @@ -285,7 +285,7 @@ testcontext := { "groups": ["testgroup1", "testgroup2"], "user": "testuser", }, - "softwareStack": {"trinoVersion": "451"}, + "softwareStack": {"trinoVersion": "455"}, } test_access_filter_catalog if { diff --git a/tests/templates/kuttl/opa-authorization/trino_rules/verification.rego b/tests/templates/kuttl/opa-authorization/trino_rules/verification.rego index 254d3150..688c2e65 100644 --- a/tests/templates/kuttl/opa-authorization/trino_rules/verification.rego +++ b/tests/templates/kuttl/opa-authorization/trino_rules/verification.rego @@ -43,7 +43,7 @@ import rego.v1 # "groups": ["group1", ...], # "user": "username", # }, -# "softwareStack": {"trinoVersion": "451"}, +# "softwareStack": {"trinoVersion": "455"}, # } # } # @@ -193,7 +193,7 @@ allow if { # "groups": ["group1", ...], # "user": "username", # }, -# "softwareStack": {"trinoVersion": "451"}, +# "softwareStack": {"trinoVersion": "455"}, # } # } # @@ -254,7 +254,7 @@ batch contains index if { # "groups": ["group1", ...], # "user": "username", # }, -# "softwareStack": {"trinoVersion": "451"}, +# "softwareStack": {"trinoVersion": "455"}, # } # } # @@ -319,7 +319,7 @@ columnMask := column_mask if { # "groups": ["group1", ...], # "user": "username", # }, -# "softwareStack": {"trinoVersion": "451"}, +# "softwareStack": {"trinoVersion": "455"}, # } # } # diff --git a/tests/templates/kuttl/opa-authorization/trino_rules/verification_test.rego b/tests/templates/kuttl/opa-authorization/trino_rules/verification_test.rego index 9463292c..87131b0c 100644 --- a/tests/templates/kuttl/opa-authorization/trino_rules/verification_test.rego +++ b/tests/templates/kuttl/opa-authorization/trino_rules/verification_test.rego @@ -15,7 +15,7 @@ testcontext := { "groups": ["testgroup1", "testgroup2"], "user": "testuser", }, - "softwareStack": {"trinoVersion": "451"}, + "softwareStack": {"trinoVersion": "455"}, } test_allow_with_authorization_request if { diff --git a/tests/templates/kuttl/smoke/09-install-opa.yaml.j2 b/tests/templates/kuttl/smoke/09-install-opa.yaml.j2 index 6fca89de..6bc80ba0 100644 --- a/tests/templates/kuttl/smoke/09-install-opa.yaml.j2 +++ b/tests/templates/kuttl/smoke/09-install-opa.yaml.j2 @@ -22,35 +22,6 @@ metadata: labels: opa.stackable.tech/bundle: "trino" data: -{% if test_scenario['values']['trino'] in ["414"] %} - trino.rego: | - package trino - - import rego.v1 - - default allow = false - - allow if { - is_admin - } - - allow if { - is_bob - can_be_accessed_by_bob - } - - is_admin() if { - input.context.identity.user == "admin" - } - - is_bob() if { - input.context.identity.user == "bob" - } - - can_be_accessed_by_bob() if { - input.action.operation in ["ImpersonateUser", "FilterCatalogs", "AccessCatalog", "ExecuteQuery"] - } -{% else %} trino.rego: | package trino @@ -85,4 +56,3 @@ data: is_bob() if { input.context.identity.user == "bob" } -{% endif %} diff --git a/tests/test-definition.yaml b/tests/test-definition.yaml index 7b4f229e..d0434309 100644 --- a/tests/test-definition.yaml +++ b/tests/test-definition.yaml @@ -13,12 +13,11 @@ dimensions: - name: trino values: - - "414" - - "442" - "451" + - "455" - name: trino-latest values: - - "451" + - "455" - name: hive values: - 3.1.3