Skip to content
/ trino-opa-demo Public

trino access control with opa powered by opal and nodejs as rbac backend

nil1729.github.io/trino-opa-demo/

License

MIT license
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nil1729/trino-opa-demo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
assets
assets
 
 
opal
opal
 
 
policies @ 22353df
policies @ 22353df
 
 
rbac-server
rbac-server
 
 
shared
shared
 
 
trino
trino
 
 
.env.sample
.env.sample
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
docker-compose.yaml
docker-compose.yaml
 
 

Repository files navigation

Trino Access Control with OPA

This repository guides you through the process of setting up Trino with OPA for access control.

Considerations

  • This guide assumes that you have a basic understanding of Trino and OPA (Open Policy Agent).
  • Trino Version: 440, OPAL Version: 0.7.5, Postgres Version: 16

Architecture (Docker)

Docker Architecture

Running Trino Cluster with OPA Locally

Setting up Github SSH Key (Optional)

If you are using a private repository for the policy files in OPAL Server, you need to add the SSH Public key to the GitHub repository as a deploy key. Read OPAL Documentation

  • Generate a new SSH key pair using the following command:

    ssh-keygen -t ed25519 -C "[email protected]"

  • Add the SSH key to the GitHub Repository as a deploy key.

    cat ~/.ssh/id_ed25519.pub

    CLI Demo

    Github Demo

Setting up Environment Variables for OPAL Server

  • OPAL_POLICY_REPO_SSH_KEY:

    cat ~/.ssh/id_ed25519

    CLI Demo

    OPAL_POLICY_REPO_SSH_KEY="-----BEGIN OPENSSH PRIVATE KEY-----_XX_YY_-----END OPENSSH PRIVATE KEY-----"

    Replace newline characters (\n) with underscore (_).

  • OPAL_AUTH_PRIVATE_KEY and OPAL_AUTH_PUBLIC_KEY:

    Please follow the instructions from the OPAL Documentation to generate the RSA keys.

  • OPAL_AUTH_MASTER_TOKEN:

    python3 -m venv .venv
    source .venv/bin/activate
    pip install opal-server
    opal-server generate-secret

Running Docker Compose

Create a .env file with the variables from .env.sample and run the following command:

docker compose up -d

Docker Compose

Create User, Groups & Policies

Please use this Postman Collection to create users, groups, and policies.

Running queries in Trino through Trino CLI

For this demo, I have created a user [email protected] and associated it with the group sales and with the following access policy:

  • Policy 1:
    • Catalog: tpch
    • Schema: sf1
    • Table: customer
    • columns: custkey, nationkey
    • cluster: trino-1
trino --server localhost:8081 --user [email protected]

Trino CLI-1 Trino CLI-2

trino --server localhost:8082 --user [email protected]

Trino CLI-3

Changing Policies on Runtime

Now, I have created another group marketing and associated it with the following access policy:

  • Policy 2:
    • Catalog: tpcds
    • Schema: tiny
    • Table: promotion
    • columns: p_promo_name, p_channel_tv, p_channel_email
    • cluster: trino-2
trino --server localhost:8082 --user [email protected]

Trino CLI-4 Trino CLI-5

References

Made with ❤️ by nil1729

About

trino access control with opa powered by opal and nodejs as rbac backend

nil1729.github.io/trino-opa-demo/

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages