Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial work to add ranger configuration #198

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Initial work to add ranger configuration #198

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5a93efe
Initial work to add ranger
lozbrown Aug 2, 2024
f92d124
Update configmap-coordinator.yaml
lozbrown Aug 5, 2024
d92b2ec
Update deployment-coordinator.yaml
lozbrown Aug 5, 2024
44bf4ce
Update configmap-coordinator.yaml
lozbrown Oct 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
116 changes: 115 additions & 1 deletion charts/trino/templates/configmap-coordinator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,17 @@ data:
{{- .Values.server.coordinatorExtraConfig | nindent 4 }}
{{- end }}

{{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }}
{{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "ranger" }}
access-control.properties: |
access-control.name=file
{{- if .Values.accessControl.refreshPeriod }}
security.refresh-period={{ .Values.accessControl.refreshPeriod }}
{{- end }}
ranger.security_config={{ .Values.server.config.path }}/access-control/{{ .Values.ranger.security_config | default "ranger-trino-security.xml" }}
ranger.audit_config={{ .Values.server.config.path }}/access-control/{{ .Values.ranger.audit_config | default "ranger-trino-audit.xml" }}
ranger.policy_mgr_ssl_config={{ .Values.server.config.path }}/access-control/{{ .Values.ranger.policy_mgr_ssl_config | default "ranger-trino-policymgr-ssl.xml" }}
{{- end }}
{{- if eq .Values.accessControl.type "configmap" }}
access-control.properties: |
access-control.name=file
{{- if .Values.accessControl.refreshPeriod }}
Expand Down Expand Up @@ -151,6 +161,110 @@ data:
{{- range $key, $val := .Values.accessControl.rules }}
{{ $key }}: {{ $val | quote }}
{{- end }}
{{- end }}
{{- if eq .Values.accessControl.type "ranger" }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "trino.fullname" . }}-access-control-volume-coordinator
namespace: {{ .Release.Namespace }}
labels:
{{- include "trino.labels" . | nindent 4 }}
app.kubernetes.io/component: coordinator
data:
{{ .Values.ranger.security_config | default "ranger-trino-security.xml" }}: |
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
<property>
<name>ranger.plugin.trino.policy.rest.url</name>
<value>{{ .Values.ranger.host_uri }}</value>
<description>MANDATORY: a comma separated list of URLs to Apache Ranger instances in a deployment</description>
</property>
<property>
<name>ranger.plugin.trino.access.cluster.name</name>
<value>{{ .Values.ranger.cluster_name | default "dev_trino" }}</value>
<description>Name to identify the cluster running the Trino instance. This is recorded in audit logs generated by the plugin</description>
</property>
<property>
<name>ranger.plugin.trino.use.rangerGroups</name>
<value>{{ .Values.ranger.use_ranger_groups | default "false" }}</value>
<description>Boolean flag to specify whether user-to-groups mapping should be obtained from in Apache Ranger. Default: false</description>
</property>
<property>
<name>ranger.plugin.trino.use.only.rangerGroups</name>
<value>{{ .Values.ranger.use_ranger_groups | default "false" }}</value>
<description>Boolean flag. true: use user-to-groups mapping from Apache Ranger; false: use user-to-groups mappings from Apache Ranger and Trino. Default: false</description>
</property>
<property>
<name>ranger.plugin.trino.super.users</name>
<value>{{ .Values.ranger.super_users }}</value>
<description>Comma separated list of user names. Superusers will be authorized for all accesses, without requiring explicit policy grants.</description>
</property>
<property>
<name>ranger.plugin.trino.super.groups</name>
<value>{{ .Values.ranger.super_groups }}</value>
<description>Comma separated list of group names. Users in supergroups will be authorized for all accesses, without requiring explicit policy grants</description>
</property>
</configuration>

{{ .Values.ranger.audit_config | default "ranger-trino-audit.xml" }}: |
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
<property>
<name>xasecure.audit.is.enabled</name>
<value>{{ .Values.ranger.audit_enabled | default "true" }}</value>
<description>Boolean flag to specify if the plugin should generate access audit logs. Default: true</description>
</property>
{{- if .Values.ranger.solr_uri }}
<property>
<name>xasecure.audit.solr.is.enabled</name>
<value>true</value>
<description>Boolean flag to specify if audit logs should be stored in Solr. Default: false</description>
</property>
{{- end }}
<property>
<name>xasecure.audit.solr.solr_url</name>
<value>{{ .Values.ranger.solr_uri }}</value>
<description>URL to Solr deployment where the plugin should send access audits to</description>
</property>
</configuration>

{{ .Values.ranger.policy_mgr_ssl_config | default "ranger-trino-policymgr-ssl.xml" }}: |
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
<!-- properties used for 2-way SSL between the Trino plugin and Apache Ranger server -->
<property>
<name>xasecure.policymgr.clientssl.keystore</name>
<value></value>
<description>Path to keystore file</description>
</property>
<property>
<name>xasecure.policymgr.clientssl.keystore.type</name>
<value>jks</value>
<description>Type of keystore. Default: jks</description>
</property>
<property>
<name>xasecure.policymgr.clientssl.keystore.credential.file</name>
<value></value>
<description>Path to credential file for the keystore; the credential should be in alias sslKeyStore</description>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore</name>
<value></value>
<description>Path to truststore file</description>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore.type</name>
<value>jks</value>
<description>Type of truststore. Default: jks</description>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore.credential.file</name>
<value></value>
<description>Path to credential file for the truststore; the credential should be in alias sslTrustStore</description>
</property>
</configuration>

{{- end }}{{- end }}
{{- if .Values.resourceGroups }}
---
Expand Down
2 changes: 1 addition & 1 deletion charts/trino/templates/deployment-coordinator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ spec:
- name: schemas-volume
configMap:
name: {{ template "trino.fullname" . }}-schemas-volume-coordinator
{{- if .Values.accessControl }}{{- if eq .Values.accessControl.type "configmap" }}
{{- if .Values.accessControl }}{{- if or eq .Values.accessControl.type "configmap" eq .Values.accessControl.type "ranger" }}
- name: access-control-volume
configMap:
name: {{ template "trino.fullname" . }}-access-control-volume-coordinator
Expand Down