Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/stackabletech/trino-opa-authorizer

Last synced: 25 days ago
JSON representation

Host: GitHub
URL: https://github.com/stackabletech/trino-opa-authorizer
Owner: stackabletech
License: apache-2.0
Archived: true
Created: 2021-10-07T14:24:51.000Z (about 3 years ago)
Default Branch: main
Last Pushed: 2024-01-31T08:32:15.000Z (11 months ago)
Last Synced: 2024-11-09T08:02:10.508Z (about 1 month ago)
Language: Java
Size: 49.8 KB
Stars: 13
Watchers: 7
Forks: 5
Open Issues: 3
Metadata Files:
- Readme: README.adoc
- Changelog: CHANGELOG.md
- License: LICENSE

Awesome Lists containing this project

awesome-opa - Trino OPA Authorizer - Plugin for Trino that allows using OPA for authorization (Datasource Integrations / Blogs and Articles)

README

= trino-opa-authorizer

IMPORTANT: This repository has been archived and is not being maintained any more.
Development of this authorizer has been moved into the Trino project itself:
https://github.com/trinodb/trino/pull/19532

== Usage

=== OPA

Currently expects that Open Policy Agent is listening on http://localhost:8181. Run `opa run --log-level debug --server example.rego` in the repo folder to test an initial example.

=== Trino plugin

Assuming that you already have a Trino server set up.

1. Run `mvn package`
2. Copy (or symlink) `target/out` to `$TRINO_DIR/plugins/trino-opa-authorizer`
3. Copy (or symlink) `access-control.properties` to `$TRINO_DIR/etc/access-control.properties`
4. Start Trino

=== Tests

The tests assume that OPA is available on your path as `opa`, and can then be executed by running `mvn test`.

=== Example

The example `example.rego` allows the `admin` user to do everything. User `bob` is limited to run queries and access catalogs.

----
include::example.rego[]
----

This can be tested via the Trino CLI for the `admin` user:
----
./trino-cli-403-executable.jar --server http://localhost:8080 --user=admin
----
and for the user `bob`:
----
./trino-cli-403-executable.jar --server http://localhost:8080 --user=bob
----

When logged in as `bob` you should be able to run:
----
trino> SHOW CATALOGS;
Catalog
---------
system
(1 row)

Query 20220419_161711_00047_bu682, FINISHED, 1 node
Splits: 1 total, 1 done (100.00%)
0.22 [0 rows, 0B] [0 rows/s, 0B/s]

----
but should get an `Access Denied` failure when e.g. showing schemas:
----
trino> SHOW SCHEMAS From system;
Query 20220419_161650_00046_bu682 failed: Access Denied: Cannot show schemas
----

=== Building
To build the maven project invoke

```
mvn clean package
```

Afterwards you find the produced binaries in `/home/sbernauer/stackabletech/trino-opa-authorizer/target/out/`, especially out of interest is
```
-rw-rw-r-- 1 sbernauer sbernauer 33K Sep 15 09:53 /home/sbernauer/stackabletech/trino-opa-authorizer/target/out/trino-opa-authorizer-403-stackable0.1.0.jar
```
The small size is normal.
We have to bundle all the produced jars to put them into a Trino setup.
To achieve this run

```
ln -s target/out/ trino-opa-authorizer
```

and (you need to replace your version!)

```
tar -czvf trino-opa-authorizer-403-stackable0.1.0.tar.gz ./trino-opa-authorizer/*
```

Resulting file size should be in the neighborhood of 80 MB:
```
$ ls -lah trino-opa-authorizer-*.gz
-rw-rw-r-- 1 sbernauer sbernauer 86M Sep 15 09:58 trino-opa-authorizer-403-stackable0.1.0.tar.gz
```

=== Releasing
Releasing here is done by uploading the `trino-opa-authorizer-*-stackable0.1.0.tar.gz` into Nexus.