Skip to content

[OPA] Add additional context file to Trino OPA plugin#25993

Merged
wendigo merged 1 commit into
trinodb:masterfrom
chiahangchang:feature/opa-plugin-additional-context
Jan 7, 2026
Merged

[OPA] Add additional context file to Trino OPA plugin#25993
wendigo merged 1 commit into
trinodb:masterfrom
chiahangchang:feature/opa-plugin-additional-context

Conversation

@chiahangchang
Copy link
Copy Markdown
Contributor

@chiahangchang chiahangchang commented Jun 11, 2025
edited
Loading

Add optional configuration property to Trino OPA plugin, specifying a path to a JSON containing tenant-specified context (i.e. namespace, cluster, environment, tier) as key-value pairs

Additional context and related issues

#25880

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
(X) Release notes are required. Please propose a release note for me.
( ) Release notes are required, with the following suggested text:

## Section
* Fix some things. ({issue}`issuenumber`)

@cla-bot cla-bot Bot added the cla-signed label Jun 11, 2025
@chiahangchang chiahangchang requested a review from vagaerg June 11, 2025 19:52
@chiahangchang chiahangchang force-pushed the feature/opa-plugin-additional-context branch from 961f278 to dab85af Compare June 12, 2025 13:46
@chiahangchang chiahangchang requested a review from mosabua June 13, 2025 14:23
@chiahangchang chiahangchang requested a review from mosiac1 June 24, 2025 16:07
@sungwy sungwy requested a review from ebyhr June 27, 2025 17:53
@sungwy
Copy link
Copy Markdown
Member

sungwy commented Jun 27, 2025

Hi @ebyhr could we ask for your review on this PR? We are managing a multi-tenant Trino deployment platform on Kubernetes, and require Trino cluster specific attributes to be sent along in the OPA request to make the correct authorization decisions in the shared OPA server.

Questions like "can user X query this Trino cluster in tenant Y's namespace" or "can user X filter everyone's queries on this Trino cluster in tenant Y's namespace" will be able to be answered after this change.

ebyhr
ebyhr reviewed Jul 2, 2025
View reviewed changes
Comment thread plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaAccessControl.java Outdated
Comment thread plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaConfig.java Outdated
Comment thread plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaConfig.java Outdated
Comment thread plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaHighLevelClient.java Outdated
Comment thread plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaHighLevelClient.java Outdated
Comment thread plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaHighLevelClient.java Outdated
Comment thread plugin/trino-opa/src/main/java/io/trino/plugin/opa/schema/OpaAdditionalContext.java Outdated
Comment thread plugin/trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControl.java
Comment thread plugin/trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControlSystem.java Outdated
Comment thread plugin/trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControlSystem.java Outdated
@github-actions github-actions Bot added the docs label Jul 2, 2025
@chiahangchang chiahangchang requested a review from ebyhr July 2, 2025 18:31
@chiahangchang chiahangchang force-pushed the feature/opa-plugin-additional-context branch from 1fa061c to 05aca38 Compare July 2, 2025 18:33
@github-actions github-actions Bot added ui Web UI hudi Hudi connector iceberg Iceberg connector delta-lake Delta Lake connector hive Hive connector bigquery BigQuery connector duckdb DuckDB connector elasticsearch Elasticsearch connector faker Faker connector google-sheets Google Sheets connector kafka Kafka connector memory Memory connector opensearch OpenSearch connector pinot Pinot connector postgresql PostgreSQL connector redis Redis connector redshift Redshift connector labels Jul 2, 2025
@chiahangchang chiahangchang force-pushed the feature/opa-plugin-additional-context branch 2 times, most recently from 5f41d40 to ea5bbbc Compare July 2, 2025 19:07
@chiahangchang chiahangchang force-pushed the feature/opa-plugin-additional-context branch 11 times, most recently from 96c4f60 to d2001a4 Compare September 17, 2025 17:59
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Oct 9, 2025

This pull request has gone a while without any activity. Ask for help on #core-dev on Trino slack.

@github-actions github-actions Bot added the stale label Oct 9, 2025
wendigo
wendigo reviewed Oct 15, 2025
View reviewed changes
Comment thread plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaConfig.java Outdated
wendigo
wendigo reviewed Oct 15, 2025
View reviewed changes
Comment thread plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaHighLevelClient.java Outdated
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Nov 11, 2025

This pull request has gone a while without any activity. Ask for help on #core-dev on Trino slack.

wendigo
wendigo reviewed Nov 11, 2025
View reviewed changes
Comment thread docs/src/main/sphinx/security/opa-access-control.md Outdated
wendigo
wendigo reviewed Nov 11, 2025
View reviewed changes
Comment thread docs/src/main/sphinx/security/opa-access-control.md Outdated
wendigo
wendigo reviewed Nov 11, 2025
View reviewed changes
Comment thread plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaConfig.java Outdated
wendigo
wendigo reviewed Nov 11, 2025
View reviewed changes
Comment thread plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaHighLevelClient.java Outdated
wendigo
wendigo reviewed Nov 11, 2025
View reviewed changes
Comment thread plugin/trino-opa/pom.xml Outdated
wendigo
wendigo approved these changes Nov 11, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@wendigo wendigo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM % naming

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Dec 3, 2025

This pull request has gone a while without any activity. Ask for help on #core-dev on Trino slack.

@chiahangchang
Copy link
Copy Markdown
Contributor Author

chiahangchang commented Dec 22, 2025

@wendigo Could I get your help merging this PR? I've incorporated the suggested fixes

chenjian2664
chenjian2664 reviewed Dec 27, 2025
View reviewed changes
Comment thread plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaHighLevelClient.java Outdated
Comment thread plugin/trino-opa/src/main/java/io/trino/plugin/opa/OpaHighLevelClient.java Outdated
Comment thread plugin/trino-opa/src/test/resources/additional-context.properties
Comment thread ...trino-opa/src/test/java/io/trino/plugin/opa/TestOpaAccessControlAdditionalContextSystem.java Outdated
@chiahangchang
Copy link
Copy Markdown
Contributor Author

chiahangchang commented Dec 29, 2025

@chenjian2664 Addressed comments

@chiahangchang
Copy link
Copy Markdown
Contributor Author

chiahangchang commented Jan 7, 2026

@wendigo Thank you!

@chenjian2664 chenjian2664 mentioned this pull request Jan 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chenjian2664 chenjian2664 chenjian2664 left review comments

@wendigo wendigo wendigo approved these changes

@vagaerg vagaerg Awaiting requested review from vagaerg

@mosabua mosabua Awaiting requested review from mosabua

@mosiac1 mosiac1 Awaiting requested review from mosiac1

@ebyhr ebyhr Awaiting requested review from ebyhr

Assignees

No one assigned

Labels

cla-signed docs

Milestone

480

Development

Successfully merging this pull request may close these issues.

8 participants

@chiahangchang @sungwy @riddhithummar @snawar92 @ebyhr @wendigo @mosabua @chenjian2664