Trino works with three integrated access control solutions:
The first one is internal to Trino and does not make it possible to change the authorization policies without touching the Trino deployment. While with Ranger, a plugin is injected into Trino and therefore, a strong dependency exists between both components and a strict version alignment between Trino and Ranger is required. This leaves us with OPA which is a HTTP REST server which communicates with the application through JSON format and thus gives us flexibility between the Trino and the OPA versions.
However, we want a GitOps solution where policies can be updated in a git repository. There comes Open Policy Administration Layer into play. OPAL will inject the policies taken from the git repository to OPA. The architecture is explained on the official website.
The implementation contains:
In addition to the previous implementation, the repository opal-fetcher-postgres which is a fork of the official opal-fetcher-postgres repository adapted to the currently last OPAL version has been added to build an image, where OPAL can connect to Postgres as an external data source. In this case the OPAL server has to be configured accordingly.
Trino works with three integrated access control solutions:
The first one is internal to Trino and does not make it possible to change the authorization policies without touching the Trino deployment. While with Ranger, a plugin is injected into Trino and therefore, a strong dependency exists between both components and a strict version alignment between Trino and Ranger is required. This leaves us with OPA which is a HTTP REST server which communicates with the application through JSON format and thus gives us flexibility between the Trino and the OPA versions.
However, we want a GitOps solution where policies can be updated in a git repository. There comes Open Policy Administration Layer into play. OPAL will inject the policies taken from the git repository to OPA. The architecture is explained on the official website.
The implementation contains:
In addition to the previous implementation, the repository opal-fetcher-postgres which is a fork of the official opal-fetcher-postgres repository adapted to the currently last OPAL version has been added to build an image, where OPAL can connect to Postgres as an external data source. In this case the OPAL server has to be configured accordingly.