Security

This page covers Authentication and Authorization.

Authentication

Trino supports several authentication types.

Password

The Trino operator currently supports the following PASSWORD authenticators.

Password file

The file based authentication can be defined as follows. First create a secret with your users:

apiVersion: v1
kind: Secret
metadata:
  name: simple-trino-users-secret
type: kubernetes.io/opaque
stringData:
  admin: $2y$10$89xReovvDLacVzRGpjOyAOONnayOgDAyIS2nW9bs5DJT98q17Dy5i
  alice: $2y$10$HcCa4k9v2DRrD/g7e5vEz.Bk.1xg00YTEHOZjPX7oK3KqMSt2xT8W
  bob: $2y$10$xVRXtYZnYuQu66SmruijPO8WHFM/UK5QPHTr.Nzf4JMcZSqt3W.2.

This contains username and password pairs as shown in the previous snippet. The username and password combinations are provided in the stringData field. The hashes are created using bcrypt with 10 rounds:

htpasswd -nbBC 10 admin admin

Then reference the secret in your TrinoCluster definition:

apiVersion: trino.stackable.tech/v1alpha1
kind: TrinoCluster
metadata:
  name: simple-trino
spec:
  ...
  authentication:
    method:
      multiUser:
        userCredentialsSecret:
          name: simple-trino-users-secret
  ...

LDAP

The Trino operator supports LDAP authentication as well and authentication in Stackable is done using AuthenticationClasses:

apiVersion: authentication.stackable.tech/v1alpha1
kind: AuthenticationClass
metadata:
  name: my-ldap
...
You can follow the Authentication with OpenLDAP tutorial to learn how to create an AuthenticationClass for an LDAP server.

With an AuthenticationClass ready, PASSWORD authentication using LDAP is done by referincing the LDAP AuthenticationClass:

apiVersion: trino.stackable.tech/v1alpha1
kind: TrinoCluster
metadata:
  name: trino-with-ldap
spec:
  ...
  authentication:
    method:
      ldap:
        authenticationClass: my-ldap
  ...

In the Trino CLI and web interface, LDAP users can now be used to log in.

Authorization

In order to authorize Trino via OPA, a ConfigMap containing Rego rules for Trino has to be applied. The following example is an all-access Rego rule for testing with the user admin. Do not use it in production!

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: opa-bundle-trino
  labels:
    opa.stackable.tech/bundle: "trino"
data:
  trino.rego: |
    package trino

    import future.keywords.in

    default allow = false

    allow {
      is_admin
    }

    is_admin() {
      input.context.identity.user == "admin"
    }

Users should write their own rego rules for more complex OPA authorization.