Skip to content
/ trino-opa-demo Public

trino access control with opa powered by opal and nodejs as rbac backend

nil1729.github.io/trino-opa-demo/

License

MIT license
0 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nil1729/trino-opa-demo

BranchesTags

Repository files navigation

Trino Access Control with OPA

This repository guides you through the process of setting up Trino with OPA for access control.

Considerations

  • This guide assumes that you have a basic understanding of Trino and OPA (Open Policy Agent).
  • Trino Version: 440, OPAL Version: 0.7.5, Postgres Version: 16

Architecture (Docker)

Docker Architecture

Running Trino Cluster with OPA Locally

Setting up Github SSH Key (Optional)

If you are using a private repository for the policy files in OPAL Server, you need to add the SSH Public key to the GitHub repository as a deploy key. Read OPAL Documentation

  • Generate a new SSH key pair using the following command:

    ssh-keygen -t ed25519 -C "nilanjan172nsvian@gmail.com"

  • Add the SSH key to the GitHub Repository as a deploy key.

    cat ~/.ssh/id_ed25519.pub

    CLI Demo

    Github Demo

Setting up Environment Variables for OPAL Server

  • OPAL_POLICY_REPO_SSH_KEY:

    cat ~/.ssh/id_ed25519

    CLI Demo

    OPAL_POLICY_REPO_SSH_KEY="-----BEGIN OPENSSH PRIVATE KEY-----_XX_YY_-----END OPENSSH PRIVATE KEY-----"

    Replace newline characters (\n) with underscore (_).

  • OPAL_AUTH_PRIVATE_KEY and OPAL_AUTH_PUBLIC_KEY:

    Please follow the instructions from the OPAL Documentation to generate the RSA keys.

  • OPAL_AUTH_MASTER_TOKEN:

    python3 -m venv .venv
    source .venv/bin/activate
    pip install opal-server
    opal-server generate-secret

Running Docker Compose

Create a .env file with the variables from .env.sample and run the following command:

docker compose up -d

Docker Compose

Create User, Groups & Policies

Please use this Postman Collection to create users, groups, and policies.

Running queries in Trino through Trino CLI

For this demo, I have created a user nilanjan172nsvian@gmail.com and associated it with the group sales and with the following access policy:

  • Policy 1:
    • Catalog: tpch
    • Schema: sf1
    • Table: customer
    • columns: custkey, nationkey
    • cluster: trino-1
trino --server localhost:8081 --user nilanjan172nsvian@gmail.com

Trino CLI-1 Trino CLI-2

trino --server localhost:8082 --user nilanjan172nsvian@gmail.com

Trino CLI-3

Changing Policies on Runtime

Now, I have created another group marketing and associated it with the following access policy:

  • Policy 2:
    • Catalog: tpcds
    • Schema: tiny
    • Table: promotion
    • columns: p_promo_name, p_channel_tv, p_channel_email
    • cluster: trino-2
trino --server localhost:8082 --user nilanjan172nsvian@gmail.com

Trino CLI-4 Trino CLI-5

References

Made with ❤️ by nil1729

About

trino access control with opa powered by opal and nodejs as rbac backend

nil1729.github.io/trino-opa-demo/

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages