Investigate into RBAC for Azure Storage/Trino

[rohank07]

Investigate and look into RBAC for Azure storage account container level. Users unable to access other container. Also need to think about shared containers.

[rohank07]

Trino RBAC implementation. To play around with RBAC use custom image: k8scc01covidacr.azurecr.io/jupyterlab-cpu:eae5323a (removed the auto injecting of --user namespacename for testing purposes)
Need to update trino-wrapper script to use: --catalog hive --schema namespacename (schema name does not accept hypen)

Rules.json template

  rules.json: |
    {
        "schemas": [
            {
                "user": "rohan-katkar",
                "schema": "(rohankatkar|rohankatkar2|rohankatkar3)",
                "owner": true
            },
            {
                "user": "pat-ledgerwood",
                "schema": "patledgerwood",
                "owner": true
            },
            {
                "user": "jose-matsuda",
                "schema": "josematsuda",
                "owner": true
            }
        ],
        "tables": [
            {
              "user": "rohan-katkar",
              "schema": "rohankatkar",
              "table": ".*",
              "privileges": ["SELECT", "INSERT", "DELETE", "UPDATE", "OWNERSHIP"]
              
            },
            {
              "user": "jose-matsuda",
              "schema": "josematsuda",
              "table": ".*",
              "privileges": ["SELECT", "INSERT", "DELETE", "UPDATE", "OWNERSHIP"]  
            },
            {
              "user": "pat-ledgerwood",
              "schema": "patledgerwood",
              "table": ".*",
              "privileges": ["SELECT", "INSERT", "DELETE", "UPDATE", "OWNERSHIP"]  
            }

        ]
    }

Multiple schemas under the same user is possible.
Users are able to access other user's schemas using use schemaname; but are denied access when trying see tables under the schema. They are also only able to see schemas under the user that they are logined in as.

[rohank07]

To support multi user access to tables and schemas we can acheive this by "user": "(rohan-katkar|jose-matsuda)" on schemas and tables. "Contributors" will have access to the all the schemas and tables with the set privileges in place.

[rohank07]

For FDI side of things: If a user is granted access for ROX permissions, trino rules.json will interpret that as restricting privilege access to querying tables (only able to run SELECT queries) and creating additional schemas. "privileges": ["SELECT"]

[vexingly]

@rohank07 has verified that the rules support hot-reloading which should allow us to automatically update them (via a controller).

To clarify, this solution will work no matter which authentication is implemented, but obviously some authentication method is required to identify users!