Document different regorules for v414 and v428 due to authorizer changes

docs/modules/trino/examples/usage-guide/opa-bundle-trino-cm-428.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: opa-bundle-trino
+  labels:
+    opa.stackable.tech/bundle: "true"
+data:
+  trino.rego: |
+    package trino
+
+    import future.keywords.in
+
+    default allow = false
+
+    allow {
+      is_admin
+    }
+    extended[i] {
+      some i
+      input.action.filterResources[i]
+      is_admin
+    }
+
+    is_admin() {
+      input.context.identity.user == "admin"
+    }

docs/modules/trino/pages/usage-guide/security.adoc

@@ -74,9 +74,20 @@ In the Trino CLI and web interface, LDAP users can now be used to log in.
 In order to authorize Trino via OPA, a ConfigMap containing a rego rule package for Trino has to be applied and referenced in the TrinoCluster resource.
 The following example is an all-access Rego rule for testing with the user `admin`. Do not use it in production!
 
+NOTE: Due to changes in the Trino OPA authorizer, rego rules differ between version 414 and 428. The OPA authorizer will become part of the Trino package once this https://github.com/trinodb/trino/pull/19532[pull request] is merged. The stackable Trino version 428 already uses that new OPA authorizer and utilizes the _batch mode_ (documented in the readme file https://github.com/trinodb/trino/pull/19532[here]) to avoid multiple queries to OPA. This is under active development and is not stable yet!
+
+=== Rego for Trino version 414
+
+[source,yaml]
+----
+include::example$usage-guide/opa-bundle-trino-cm-414.yaml[]
+----
+
+=== Rego for Trino version 428
+
 [source,yaml]
 ----
-include::example$usage-guide/opa-bundle-trino-cm.yaml[]
+include::example$usage-guide/opa-bundle-trino-cm-428.yaml[]
 ----
 
 Reference the package in the Trino cluster: