erikerlandson
commented
3 years ago Another promising approach is to write a trino GroupProvider plugin that does what we want.
xref: https://github.com/trinodb/trino/issues/9835
An example of such a plugin implementation, for LDAP, is here: https://github.com/arghya18/trino-group-provider-ldap-ad
An example of github rest api (this is exposing trino catalog, not a group-provider): https://github.com/nineinchnick/trino-rest/blob/master/trino-rest-github/src/main/java/pl/net/was/rest/github/GithubRest.java#L1172
Based on that example, a similar plugin that used github api instead of ldap api would be simple enough to be feasible.
caldeirav
@MichaelTiemannOSC asked if changes to team memberships could automatically trigger workflows. The use case was keeping team memberships and trino access control synchronized.
This is the list of categories of "event" that can trigger a github workflow: https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows
I don't see any triggers that directly map to "change to team members" but one could probably contrive an issue-based system that triggers a workflow which both updates team members and creates a pull-request to make some corresponding change to a trino policy config.
It might be advantageous to focus on how this could be accomplished in a world where we are using Ranger.
See also trino
GroupProviderplugin concept, below.