Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Tracking] OPA integration 2.0 #443

Open
1 of 4 tasks
sbernauer opened this issue Jul 12, 2023 · 1 comment
Open
1 of 4 tasks

[Tracking] OPA integration 2.0 #443

sbernauer opened this issue Jul 12, 2023 · 1 comment
Assignees

Comments

@sbernauer
Copy link
Member

sbernauer commented Jul 12, 2023

Context: We want to move from our - honestly early stage - authorizer to the one Bloomberg build.
It has a much nicer API and allows to batch multiple requests as well.

Long-term we want to have our custom CRDs e.g. TableGrant, SchemaGrant, CatalogGrant, which trino-operator consumes and automatically translates into OPA regorules similar to this, as it's rather complicated to write you own rego-rules.

Upstream PR at Trino: trinodb/trino#17940 - replaced by trinodb/trino#19532.

Row level filtering and data masking PR: bloomberg/trino#16

Current state https://github.com/sbernauer/trino/tree/add-open-policy-agent (mainline) (especially the rego rules, https://github.com/sbernauer/trino/tree/add-open-policy-agent (squashed for easier backporting) and https://github.com/sbernauer/trino/tree/414-with-opa (for 414-with-trino)

Tasks

  1. 0 of 11
@maltesander
Copy link
Member

#491 uses the upstream opa authorizer for 428 (still self build and not in the original trino image).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants