Context: We want to move from our - honestly early stage - authorizer to the one Bloomberg build.
It has a much nicer API and allows to batch multiple requests as well.
Long-term we want to have our custom CRDs e.g. TableGrant, SchemaGrant, CatalogGrant, which trino-operator consumes and automatically translates into OPA regorules similar to this, as it's rather complicated to write you own rego-rules.
### Tasks
- [ ] https://github.com/stackabletech/docker-images/pull/410
- [ ] https://github.com/stackabletech/trino-operator/pull/444
- [ ] Add a note to our opa operator readme to say that it is going to be deprecated in favor of upstream
- [ ] Update the Authorization docs page: https://docs.stackable.tech/home/stable/trino/usage-guide/security#_authorization
Context: We want to move from our - honestly early stage - authorizer to the one Bloomberg build. It has a much nicer API and allows to batch multiple requests as well.
Long-term we want to have our custom CRDs e.g.
TableGrant
,SchemaGrant
,CatalogGrant
, which trino-operator consumes and automatically translates into OPA regorules similar to this, as it's rather complicated to write you own rego-rules.Upstream PR at Trino: ~https://github.com/trinodb/trino/pull/17940~ - replaced by https://github.com/trinodb/trino/pull/19532.
Row level filtering and data masking PR: https://github.com/bloomberg/trino/pull/16
Current state https://github.com/sbernauer/trino/tree/add-open-policy-agent (mainline) (especially the rego rules, https://github.com/sbernauer/trino/tree/add-open-policy-agent (squashed for easier backporting) and https://github.com/sbernauer/trino/tree/414-with-opa (for 414-with-trino)