From 5a93efeda99394aec044df43340cf0f7a3c05b45 Mon Sep 17 00:00:00 2001 From: lozbrown Date: Fri, 2 Aug 2024 17:03:07 +0100 Subject: [PATCH 1/4] Initial work to add ranger --- .../templates/configmap-coordinator.yaml | 97 +++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/charts/trino/templates/configmap-coordinator.yaml b/charts/trino/templates/configmap-coordinator.yaml index a3080cd3..63405124 100644 --- a/charts/trino/templates/configmap-coordinator.yaml +++ b/charts/trino/templates/configmap-coordinator.yaml @@ -81,6 +81,16 @@ data: {{- end }} {{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }} + access-control.properties: | + access-control.name=file + {{- if .Values.accessControl.refreshPeriod }} + security.refresh-period={{ .Values.accessControl.refreshPeriod }} + {{- end }} + ranger.security_config={{ .Values.server.config.path }}/access-control/{{ .Values.ranger.security_config | default "ranger-trino-security.xml" }} + ranger.audit_config={{ .Values.server.config.path }}/access-control/{{ .Values.ranger.audit_config | default "ranger-trino-audit.xml" }} + ranger.policy_mgr_ssl_config={{ .Values.server.config.path }}/access-control/{{ .Values.ranger.policy_mgr_ssl_config | default "ranger-trino-policymgr-ssl.xml" }} +{{- end }} +{{- if eq .Values.accessControl.type "ranger" }} access-control.properties: | access-control.name=file {{- if .Values.accessControl.refreshPeriod }} @@ -151,6 +161,93 @@ data: {{- range $key, $val := .Values.accessControl.rules }} {{ $key }}: {{ $val | quote }} {{- end }} +{{- end }} +{{- if eq .Values.accessControl.type "ranger" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "trino.fullname" . }}-access-control-volume-coordinator + namespace: {{ .Release.Namespace }} + labels: + {{- include "trino.labels" . | nindent 4 }} + app.kubernetes.io/component: coordinator +data: + {{ .Values.ranger.security_config | default "ranger-trino-security.xml" }}: | + + + + + + ranger.plugin.trino.service.name + {{ .Values.ranger.service_name | default "dev_trino" }} + Name of the Ranger service containing policies for this Trino instance + + + ranger.plugin.trino.policy.rest.url + {{ .Values.ranger.host_uri }} + URL to Ranger Admin + + + ranger.plugin.trino.policy.source.impl + org.apache.ranger.admin.client.RangerAdminRESTClient + Policy source + + + ranger.plugin.trino.policy.pollIntervalMs + 30000 + How often to poll for changes in policies? + + + {{ .Values.ranger.audit_config | default "ranger-trino-audit.xml" }}: | + + + + + xasecure.audit.is.enabled + true + + + + + xasecure.audit.solr.is.enabled + true + + + + xasecure.audit.solr.solr_url + {{ .Values.ranger.solr_uri }} + + + {{ .Values.ranger.policy_mgr_ssl_config | default "ranger-trino-policymgr-ssl.xml" }}: | + + + + + + xasecure.policymgr.clientssl.keystore + trinoservice-clientcert.jks + Java Keystore files + + + + xasecure.policymgr.clientssl.truststore + cacerts-xasecure.jks + java truststore file + + + + xasecure.policymgr.clientssl.keystore.credential.file + jceks://file/etc/trino/keystore-trinoservice-ssl.jceks + java keystore credential file + + + + xasecure.policymgr.clientssl.truststore.credential.file + jceks://file/etc/trino/truststore-trinoservice-ssl.jceks + java truststore credential file + + + {{- end }}{{- end }} {{- if .Values.resourceGroups }} --- From f92d124febbbba98314d937363ef6e19658301d1 Mon Sep 17 00:00:00 2001 From: lozbrown Date: Mon, 5 Aug 2024 08:09:42 +0100 Subject: [PATCH 2/4] Update configmap-coordinator.yaml --- charts/trino/templates/configmap-coordinator.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/trino/templates/configmap-coordinator.yaml b/charts/trino/templates/configmap-coordinator.yaml index 63405124..0a3b569e 100644 --- a/charts/trino/templates/configmap-coordinator.yaml +++ b/charts/trino/templates/configmap-coordinator.yaml @@ -80,7 +80,7 @@ data: {{- .Values.server.coordinatorExtraConfig | nindent 4 }} {{- end }} -{{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }} +{{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "ranger" }} access-control.properties: | access-control.name=file {{- if .Values.accessControl.refreshPeriod }} @@ -90,7 +90,7 @@ data: ranger.audit_config={{ .Values.server.config.path }}/access-control/{{ .Values.ranger.audit_config | default "ranger-trino-audit.xml" }} ranger.policy_mgr_ssl_config={{ .Values.server.config.path }}/access-control/{{ .Values.ranger.policy_mgr_ssl_config | default "ranger-trino-policymgr-ssl.xml" }} {{- end }} -{{- if eq .Values.accessControl.type "ranger" }} +{{- if eq .Values.accessControl.type "configmap" }} access-control.properties: | access-control.name=file {{- if .Values.accessControl.refreshPeriod }} From d92b2ec1ab6c59b8aee2afaa6b851d6ce10d3e31 Mon Sep 17 00:00:00 2001 From: lozbrown Date: Mon, 5 Aug 2024 08:14:20 +0100 Subject: [PATCH 3/4] Update deployment-coordinator.yaml --- charts/trino/templates/deployment-coordinator.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/trino/templates/deployment-coordinator.yaml b/charts/trino/templates/deployment-coordinator.yaml index 14bbeee6..9f2c98aa 100644 --- a/charts/trino/templates/deployment-coordinator.yaml +++ b/charts/trino/templates/deployment-coordinator.yaml @@ -49,7 +49,7 @@ spec: - name: schemas-volume configMap: name: {{ template "trino.fullname" . }}-schemas-volume-coordinator - {{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }} + {{- if .Values.accessControl }}{{- if or eq .Values.accessControl.type "configmap" eq .Values.accessControl.type "ranger" }} - name: access-control-volume configMap: name: {{ template "trino.fullname" . }}-access-control-volume-coordinator From 44bf4ce9b94a8dd7764ca98ddfeed7b5c9a8783c Mon Sep 17 00:00:00 2001 From: lozbrown Date: Wed, 23 Oct 2024 12:59:04 +0100 Subject: [PATCH 4/4] Update configmap-coordinator.yaml --- .../templates/configmap-coordinator.yaml | 83 +++++++++++-------- 1 file changed, 50 insertions(+), 33 deletions(-) diff --git a/charts/trino/templates/configmap-coordinator.yaml b/charts/trino/templates/configmap-coordinator.yaml index 0a3b569e..601505cd 100644 --- a/charts/trino/templates/configmap-coordinator.yaml +++ b/charts/trino/templates/configmap-coordinator.yaml @@ -173,78 +173,95 @@ metadata: app.kubernetes.io/component: coordinator data: {{ .Values.ranger.security_config | default "ranger-trino-security.xml" }}: | - - - - ranger.plugin.trino.service.name - {{ .Values.ranger.service_name | default "dev_trino" }} - Name of the Ranger service containing policies for this Trino instance - ranger.plugin.trino.policy.rest.url {{ .Values.ranger.host_uri }} - URL to Ranger Admin + MANDATORY: a comma separated list of URLs to Apache Ranger instances in a deployment - ranger.plugin.trino.policy.source.impl - org.apache.ranger.admin.client.RangerAdminRESTClient - Policy source + ranger.plugin.trino.access.cluster.name + {{ .Values.ranger.cluster_name | default "dev_trino" }} + Name to identify the cluster running the Trino instance. This is recorded in audit logs generated by the plugin - ranger.plugin.trino.policy.pollIntervalMs - 30000 - How often to poll for changes in policies? + ranger.plugin.trino.use.rangerGroups + {{ .Values.ranger.use_ranger_groups | default "false" }} + Boolean flag to specify whether user-to-groups mapping should be obtained from in Apache Ranger. Default: false + + + ranger.plugin.trino.use.only.rangerGroups + {{ .Values.ranger.use_ranger_groups | default "false" }} + Boolean flag. true: use user-to-groups mapping from Apache Ranger; false: use user-to-groups mappings from Apache Ranger and Trino. Default: false + + + ranger.plugin.trino.super.users + {{ .Values.ranger.super_users }} + Comma separated list of user names. Superusers will be authorized for all accesses, without requiring explicit policy grants. + + + ranger.plugin.trino.super.groups + {{ .Values.ranger.super_groups }} + Comma separated list of group names. Users in supergroups will be authorized for all accesses, without requiring explicit policy grants + {{ .Values.ranger.audit_config | default "ranger-trino-audit.xml" }}: | - xasecure.audit.is.enabled - true + {{ .Values.ranger.audit_enabled | default "true" }} + Boolean flag to specify if the plugin should generate access audit logs. Default: true - - + {{- if .Values.ranger.solr_uri }} xasecure.audit.solr.is.enabled true + Boolean flag to specify if audit logs should be stored in Solr. Default: false - + {{- end }} xasecure.audit.solr.solr_url {{ .Values.ranger.solr_uri }} + URL to Solr deployment where the plugin should send access audits to + {{ .Values.ranger.policy_mgr_ssl_config | default "ranger-trino-policymgr-ssl.xml" }}: | - - + xasecure.policymgr.clientssl.keystore - trinoservice-clientcert.jks - Java Keystore files + + Path to keystore file - - xasecure.policymgr.clientssl.truststore - cacerts-xasecure.jks - java truststore file + xasecure.policymgr.clientssl.keystore.type + jks + Type of keystore. Default: jks - xasecure.policymgr.clientssl.keystore.credential.file - jceks://file/etc/trino/keystore-trinoservice-ssl.jceks - java keystore credential file + + Path to credential file for the keystore; the credential should be in alias sslKeyStore + + + xasecure.policymgr.clientssl.truststore + + Path to truststore file + + + xasecure.policymgr.clientssl.truststore.type + jks + Type of truststore. Default: jks - xasecure.policymgr.clientssl.truststore.credential.file - jceks://file/etc/trino/truststore-trinoservice-ssl.jceks - java truststore credential file + + Path to credential file for the truststore; the credential should be in alias sslTrustStore