Security
This page covers Authentication and Authorization.
Authentication
Trino supports several authentication types.
Password
The Trino operator currently supports the following PASSWORD authenticators.
Password file
The file based authentication can be defined as follows. First create a secret with your users:
apiVersion: v1 kind: Secret metadata: name: simple-trino-users-secret type: kubernetes.io/opaque stringData: admin: $2y$10$89xReovvDLacVzRGpjOyAOONnayOgDAyIS2nW9bs5DJT98q17Dy5i alice: $2y$10$HcCa4k9v2DRrD/g7e5vEz.Bk.1xg00YTEHOZjPX7oK3KqMSt2xT8W bob: $2y$10$xVRXtYZnYuQu66SmruijPO8WHFM/UK5QPHTr.Nzf4JMcZSqt3W.2.This contains username and password pairs as shown in the previous snippet. The username and password combinations are provided in the stringData field. The hashes are created using bcrypt with 10 rounds:
htpasswd -nbBC 10 admin adminThen reference the secret in your TrinoCluster definition:
apiVersion: trino.stackable.tech/v1alpha1 kind: TrinoCluster metadata: name: simple-trino spec: ... authentication: method: multiUser: userCredentialsSecret: name: simple-trino-users-secret ...LDAP
The Trino operator supports LDAP authentication as well and authentication in Stackable is done using AuthenticationClasses:
apiVersion: authentication.stackable.tech/v1alpha1 kind: AuthenticationClass metadata: name: my-ldap ...| You can follow the Authentication with OpenLDAP tutorial to learn how to create an AuthenticationClass for an LDAP server. |
With an AuthenticationClass ready, PASSWORD authentication using LDAP is done by referincing the LDAP AuthenticationClass:
apiVersion: trino.stackable.tech/v1alpha1 kind: TrinoCluster metadata: name: trino-with-ldap spec: ... authentication: method: ldap: authenticationClass: my-ldap ...In the Trino CLI and web interface, LDAP users can now be used to log in.
Authorization
In order to authorize Trino via OPA, a ConfigMap containing Rego rules for Trino has to be applied. The following example is an all-access Rego rule for testing with the user admin. Do not use it in production!
--- apiVersion: v1 kind: ConfigMap metadata: name: opa-bundle-trino labels: opa.stackable.tech/bundle: "trino" data: trino.rego: | package trino import future.keywords.in default allow = false allow { is_admin } is_admin() { input.context.identity.user == "admin" }Users should write their own rego rules for more complex OPA authorization.