Skip to content

Commit

Permalink
feat: added ability to use custom accessControl (eg. OPA)
Browse files Browse the repository at this point in the history
  • Loading branch information
@dantonbertuol
dantonbertuol committed Aug 16, 2024
1 parent 3454e3f commit 2b67df6
Show file tree
Hide file tree
Showing 4 changed files with 69 additions and 43 deletions.
9 changes: 8 additions & 1 deletion charts/trino/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,14 @@ Fast distributed SQL query engine for big data analytics that helps you explore
```
* `accessControl` - object, default: `{}`

[System access control](https://trino.io/docs/current/security/built-in-system-access-control.html) configuration.
[System access control](https://trino.io/docs/current/security/built-in-system-access-control.html) configuration.<br> `type: configmap | custom`<br> Custom Values Example:
```yaml
type: custom
customValues: |
access-control.name=custom-access-control
access-control.custom_key=custom_value
```
ConfigMap Values
Example:
```yaml
type: configmap
Expand Down
10 changes: 8 additions & 2 deletions charts/trino/templates/configmap-coordinator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,14 +80,20 @@ data:
{{- .Values.server.coordinatorExtraConfig | nindent 4 }}
{{- end }}
{{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }}
{{- if .Values.accessControl }}
{{- if eq .Values.accessControl.type "configmap" }}
access-control.properties: |
access-control.name=file
{{- if .Values.accessControl.refreshPeriod }}
security.refresh-period={{ .Values.accessControl.refreshPeriod }}
{{- end }}
security.config-file={{ .Values.server.config.path }}/access-control/{{ .Values.accessControl.configFile | default "rules.json" }}
{{- end }}{{- end }}
{{- end }}
{{- if eq .Values.accessControl.type "custom" }}
access-control.properties: |
{{- .Values.accessControl.customValues | nindent 4 }}
{{- end }}
{{- end }}

{{- if .Values.resourceGroups }}
resource-groups.properties: |
Expand Down
12 changes: 11 additions & 1 deletion charts/trino/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,8 +90,18 @@ server:
accessControl: {}
# accessControl -- [System access
# control](https://trino.io/docs/current/security/built-in-system-access-control.html)
# configuration.
# configuration.<br>
# `type: configmap | custom`<br>
# Custom Values
# Example:
# @raw
# ```yaml
# type: custom
# customValues: |
# access-control.name=custom-access-control
# access-control.custom_key=custom_value
# ```
# ConfigMap Values
# Example:
# ```yaml
# type: configmap
Expand Down
81 changes: 42 additions & 39 deletions test-values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,45 +103,48 @@ initContainers:
mountPath: "/etc/trino/generated"

accessControl:
type: configmap
refreshPeriod: 60s
configFile: "rules.json"
rules:
rules.json: |-
{
"catalogs": [
{
"user": "admin",
"catalog": "(tpch|system)",
"allow": "all"
},
{
"group": "group1",
"catalog": "tpch",
"allow": true
},
{
"user": "alice",
"catalog": "jmx",
"allow": "read-only"
},
{
"catalog": "system",
"allow": "none"
}
],
"schemas": [
{
"user": "admin",
"schema": ".*",
"owner": true
},
{
"user": "alice",
"owner": false
}
]
}
type: custom
customValues: |
access-control.name=read-only
# type: configmap
# refreshPeriod: 60s
# configFile: "rules.json"
# rules:
# rules.json: |-
# {
# "catalogs": [
# {
# "user": "admin",
# "catalog": "(tpch|system)",
# "allow": "all"
# },
# {
# "group": "group1",
# "catalog": "tpch",
# "allow": true
# },
# {
# "user": "alice",
# "catalog": "jmx",
# "allow": "read-only"
# },
# {
# "catalog": "system",
# "allow": "none"
# }
# ],
# "schemas": [
# {
# "user": "admin",
# "schema": ".*",
# "owner": true
# },
# {
# "user": "alice",
# "owner": false
# }
# ]
# }

jmx:
enabled: true
Expand Down

0 comments on commit 2b67df6

Please sign in to comment.