Security

Authentication

Trino supports several authentication types.

Password

The Trino operator currently supports the following PASSWORD authenticators.

Password file

The file based authentication can be defined as follows:

---
apiVersion: v1
kind: Secret
metadata:
  name: simple-trino-users-secret
type: kubernetes.io/opaque
stringData:
  admin: $2y$10$89xReovvDLacVzRGpjOyAOONnayOgDAyIS2nW9bs5DJT98q17Dy5i
  alice: $2y$10$HcCa4k9v2DRrD/g7e5vEz.Bk.1xg00YTEHOZjPX7oK3KqMSt2xT8W
  bob: $2y$10$xVRXtYZnYuQu66SmruijPO8WHFM/UK5QPHTr.Nzf4JMcZSqt3W.2.
---
apiVersion: trino.stackable.tech/v1alpha1
kind: TrinoCluster
metadata:
  name: simple-trino
spec:
  version: 396-stackable0.1.0
  catalogLabelSelector: {}
  authentication:
    method:
      multiUser:
        userCredentialsSecret:
          name: simple-trino-users-secret
  coordinators:
    roleGroups:
      default:
        replicas: 1
  workers:
    roleGroups:
      default:
        replicas: 1

The simple-trino-users-secret points to a manually created secret. This contains username and password pairs as shown in the previous snippet.

The username and password combinations are provided in the stringData field. The hashes are created using bcrypt with 10 rounds.

htpasswd -nbBC 10 admin admin

LDAP

The Trino operator supports LDAP authentication as well. The following snippet shows how to configure PASSWORD authentication using LDAP:

---
apiVersion: authentication.stackable.tech/v1alpha1
kind: AuthenticationClass
metadata:
  name: ldap-with-tls
spec:
  provider:
    ldap:
      hostname: openldap.default.svc.cluster.local
      searchBase: ou=users,dc=example,dc=org
      bindCredentials:
        secretClass: trino-with-ldap-bind
      port: 1636
      tls:
        verification:
          server:
            caCert:
              secretClass: openldap-tls
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
  name: trino-with-ldap-bind
spec:
  backend:
    k8sSearch:
      searchNamespace:
        pod: {}
---
apiVersion: v1
kind: Secret
metadata:
  name: trino-with-ldap-bind
  labels:
    secrets.stackable.tech/class: trino-with-ldap-bind
stringData:
  LDAP_USER: cn=integrationtest,ou=users,dc=example,dc=org
  LDAP_PASSWORD: integrationtest
---
apiVersion: trino.stackable.tech/v1alpha1
kind: TrinoCluster
metadata:
  name: simple-trino-with-ldap
spec:
  version: 396-stackable0.1.0
  catalogLabelSelector: {}
  config:
  authentication:
    method:
      ldap:
        authenticationClass: ldap-with-tls
  coordinators:
    roleGroups:
      default:
        replicas: 1
  workers:
    roleGroups:
      default:
        replicas: 1

With this configuration, Trino will authenticate via ldaps://openldap.default.svc.cluster.local:1636. The UI or Trino CLI need to authenticate with the user integrationtest and password integrationtest.

Please have a look at the LDAP integration tests for testing, setting up OpenLDAP and creating the integrationtest user.

Authorization

In order to authorize Trino via OPA, a ConfigMap containing Rego rules for Trino has to be applied. The following example is an all-access Rego rule for testing with the user admin. Do not use it in production!

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: opa-bundle-trino
  labels:
    opa.stackable.tech/bundle: "trino"
data:
  trino.rego: |
    package trino

    import future.keywords.in

    default allow = false

    allow {
      is_admin
    }

    is_admin() {
      input.context.identity.user == "admin"
    }

Users should write their own rego rules for more complex OPA authorization.