Skip to content

feat: Batch OPA column mask calls #827

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
xeniape wants to merge 12 commits into
base: main
Choose a base branch
from
Open

feat: Batch OPA column mask calls #827

xeniape wants to merge 12 commits into from

Conversation

@xeniape
Copy link
Member

@xeniape xeniape commented Dec 16, 2025
edited by siegfriedweber
Loading

Description

Implementation for #814

This PR changes the previous behavior of setting opa.policy.column-masking-uri to now setting opa.policy.batch-column-masking-uri in access-control.properties instead, for better performance. Consequently the Trino rules are expanded with the batchColumnMasks rules and schema.

It also adds the new field enableColumnMasking to the opa configuration, to make it possible for the user to disable the default behavior of setting opa.policy.batch-column-masking-uri at all and adds accompanying reference documentation.

Additionally, as noted in https://github.com/stackabletech/decisions/issues/71#issuecomment-3718891949, opa changed to a mandatory enum variant instead of being optional.

Integrationtests

--- PASS: kuttl (4092.48s)
    --- PASS: kuttl/harness (0.00s)
        --- PASS: kuttl/harness/authentication_trino-latest-477_ldap-use-tls-false_openshift-false (273.13s)
        --- PASS: kuttl/harness/tls_trino-latest-477_use-authentication-true_use-tls-false_use-internal-tls-true_openshift-false (81.89s)
        --- PASS: kuttl/harness/smoke_trino-476_hive-3.1.3_opa-1.8.0_hdfs-3.4.2_zookeeper-3.9.3_openshift-false (441.23s)
        --- PASS: kuttl/harness/smoke_trino-451_hive-4.1.0_opa-1.8.0_hdfs-3.4.2_zookeeper-3.9.4_openshift-false (379.07s)
        --- PASS: kuttl/harness/smoke_trino-451_hive-4.1.0_opa-1.8.0_hdfs-3.4.2_zookeeper-3.9.3_openshift-false (391.60s)
        --- PASS: kuttl/harness/smoke_trino-451_hive-3.1.3_opa-1.8.0_hdfs-3.4.2_zookeeper-3.9.4_openshift-false (465.95s)
        --- PASS: kuttl/harness/listener_trino-477_openshift-false (81.02s)
        --- PASS: kuttl/harness/smoke_trino-451_hive-3.1.3_opa-1.8.0_hdfs-3.4.2_zookeeper-3.9.3_openshift-false (471.85s)
        --- PASS: kuttl/harness/listener_trino-476_openshift-false (88.57s)
        --- PASS: kuttl/harness/listener_trino-451_openshift-false (87.56s)
        --- PASS: kuttl/harness/client-spooling_trino-latest-477_openshift-false (149.54s)
        --- PASS: kuttl/harness/opa-authorization_trino-477_hive-latest-4.1.0_opa-1.8.0_keycloak-25.0.0_openshift-false (337.58s)
        --- PASS: kuttl/harness/opa-authorization_trino-476_hive-latest-4.1.0_opa-1.8.0_keycloak-25.0.0_openshift-false (341.17s)
        --- PASS: kuttl/harness/tls_trino-latest-477_use-authentication-true_use-tls-true_use-internal-tls-true_openshift-false (79.42s)
        --- PASS: kuttl/harness/tls_trino-latest-477_use-authentication-true_use-tls-true_use-internal-tls-false_openshift-false (78.98s)
        --- PASS: kuttl/harness/opa-authorization_trino-451_hive-latest-4.1.0_opa-1.8.0_keycloak-25.0.0_openshift-false (372.99s)
        --- PASS: kuttl/harness/orphaned-resources_trino-latest-477_openshift-false (48.54s)
        --- PASS: kuttl/harness/smoke_trino-477_hive-3.1.3_opa-1.8.0_hdfs-3.4.2_zookeeper-3.9.4_openshift-false (358.64s)
        --- PASS: kuttl/harness/smoke_trino-477_hive-4.1.0_opa-1.8.0_hdfs-3.4.2_zookeeper-3.9.4_openshift-false (370.00s)
        --- PASS: kuttl/harness/tls_trino-latest-477_use-authentication-false_use-tls-true_use-internal-tls-false_openshift-false (72.62s)
        --- PASS: kuttl/harness/tls_trino-latest-477_use-authentication-true_use-tls-false_use-internal-tls-false_openshift-false (64.82s)
        --- PASS: kuttl/harness/tls_trino-latest-477_use-authentication-false_use-tls-true_use-internal-tls-true_openshift-false (71.59s)
        --- PASS: kuttl/harness/smoke_trino-477_hive-4.1.0_opa-1.8.0_hdfs-3.4.2_zookeeper-3.9.3_openshift-false (355.45s)
        --- PASS: kuttl/harness/tls_trino-latest-477_use-authentication-false_use-tls-false_use-internal-tls-false_openshift-false (66.14s)
        --- PASS: kuttl/harness/tls_trino-latest-477_use-authentication-false_use-tls-false_use-internal-tls-true_openshift-false (66.12s)
        --- PASS: kuttl/harness/smoke_trino-477_hive-3.1.3_opa-1.8.0_hdfs-3.4.2_zookeeper-3.9.3_openshift-false (345.64s)
        --- PASS: kuttl/harness/smoke_trino-476_hive-4.1.0_opa-1.8.0_hdfs-3.4.2_zookeeper-3.9.4_openshift-false (358.05s)
        --- PASS: kuttl/harness/smoke_trino-476_hive-3.1.3_opa-1.8.0_hdfs-3.4.2_zookeeper-3.9.4_openshift-false (313.46s)
        --- PASS: kuttl/harness/smoke_trino-476_hive-4.1.0_opa-1.8.0_hdfs-3.4.2_zookeeper-3.9.3_openshift-false (417.38s)
        --- PASS: kuttl/harness/fault-tolerant-execution_trino-477_openshift-false (119.89s)
        --- PASS: kuttl/harness/logging_trino-476_openshift-false (78.38s)
        --- PASS: kuttl/harness/logging_trino-451_openshift-false (76.15s)
        --- PASS: kuttl/harness/resources_trino-latest-477_openshift-false (49.38s)
        --- PASS: kuttl/harness/fault-tolerant-execution_trino-451_openshift-false (121.39s)
        --- PASS: kuttl/harness/fault-tolerant-execution_trino-476_openshift-false (120.96s)
        --- PASS: kuttl/harness/cluster-operation_trino-latest-477_openshift-false (45.55s)
        --- PASS: kuttl/harness/logging_trino-477_openshift-false (74.48s)
        --- PASS: kuttl/harness/authentication_trino-latest-477_ldap-use-tls-true_openshift-false (281.78s)
PASS

Definition of Done Checklist

  • Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
  • Please make sure all these things are done and tick the boxes

Author

  • Changes are OpenShift compatible
  • CRD changes approved
  • CRD documentation for all fields, following the style guide.
  • Helm chart can be installed and deployed operator works
  • Integration tests passed (for non trivial changes)
  • Changes need to be "offline" compatible
  • Links to generated (nightly) docs added
  • Release note snippet added

Reviewer

  • Code contains useful comments
  • (Integration-)Test cases added
  • Documentation added or updated. Follows the style guide.
  • Changelog updated
  • Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

  • Feature Tracker has been updated
  • Proper release label has been added
  • Links to generated (nightly) docs added
  • Release note snippet added
  • Add type/deprecation label & add to the deprecation schedule
  • Add type/experimental label & add to the experimental features tracker

@xeniape xeniape self-assigned this Dec 16, 2025
@xeniape xeniape linked an issue Jan 6, 2026 that may be closed by this pull request
Batch OPA column masks calls #814
Open
4 tasks
@xeniape xeniape marked this pull request as ready for review January 14, 2026 08:34
@xeniape xeniape requested review from a team and siegfriedweber January 14, 2026 08:39
@siegfriedweber siegfriedweber moved this to Development: In Review in Stackable Engineering Jan 14, 2026
siegfriedweber
siegfriedweber requested changes Jan 15, 2026
View reviewed changes
rust/operator-binary/src/authorization/opa.rs
Some("columnMask"),
OpaApiVersion::V1,

let batched_column_masking_connection_string = if trino.column_masking_enabled() {
Copy link
Member

@siegfriedweber siegfriedweber Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
let batched_column_masking_connection_string = if trino.column_masking_enabled() {
let batched_column_masking_connection_string = if opa_config.enable_column_masking {

... and delete the function colum_masking_enabled().

rust/operator-binary/src/authorization/opa.rs
Comment on lines +24 to +26
/// URI for fetching columns masks in batches, e.g.
/// `http://localhost:8081/v1/data/trino/batchColumnMasks` - if not set,
/// column-masking-uri will be used for getting column masks in parallel
Copy link
Member

@siegfriedweber siegfriedweber Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

column-masking-uri is not set, so it will not be used.

tests/templates/kuttl/smoke/10-install-trino.yaml.j2
opa:
configMapName: opa
package: trino
{% if test_scenario['values']['trino'] == "451" %}
Copy link
Member

@siegfriedweber siegfriedweber Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The supported Trino versions in SDP 26.3 are 477 and 479. I would just remove version 451 now from test-definition.yaml. Otherwise, removing these checks could be forgotten.

tests/templates/kuttl/opa-authorization/trino_rules/trino/verification_test.rego
column_masks := trino.batchColumnMasks with input as request
with data.trino_policies.policies as policies

count(column_masks) == 0
Copy link
Member

@siegfriedweber siegfriedweber Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
count(column_masks) == 0
column_masks == set()

column_masks must be an empty set and not an empty array, object or string.

rust/operator-binary/src/crd/mod.rs
#[serde(flatten)]
pub opa: OpaConfig,

/// Set the OPA batched column masking uri for Trino queries or not. Defaults to true.
Copy link
Member

@siegfriedweber siegfriedweber Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if this is better:

Suggested change
/// Set the OPA batched column masking uri for Trino queries or not. Defaults to true.
/// Whether to set the OPA batched column masking URI for Trino queries; defaults to true

docs/modules/trino/pages/reference/security.adoc
enableColumnMasking: true # default
----

<1> Redundant fields for column masking reference configuration are omitted
Copy link
Member

@siegfriedweber siegfriedweber Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which fields do you mean? All other TrinoCluster fields? If yes, then this comment is not necessary because almost all code snippets in this documentation are incomplete or we would have to add such a comment to all other snippets for consistency.

docs/modules/trino/pages/reference/security.adoc

===== Result

In `access-control.properties` the following value is set, when `enableColumnMasking` is set to `true`:
Copy link
Member

@siegfriedweber siegfriedweber Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
In `access-control.properties` the following value is set, when `enableColumnMasking` is set to `true`:
In the `access-control.properties` file, the following value is set when `enableColumnMasking` is set to `true`:

(or just fix the position of the comma)

docs/modules/trino/pages/reference/security.adoc
===== Considerations

The default setting for `enableColumnMasking` assumes a `batchColumnMasks` rule is defined in the Rego rules for the TrinoCluster.
If there is no such rule defined, Trino queries, using that column masking endpoint, will fail.
Copy link
Member

@siegfriedweber siegfriedweber Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If there is no such rule defined, Trino queries, using that column masking endpoint, will fail.
If no such rule is defined, Trino queries that utilize the column masking endpoint will fail.

(or just fix the commas)

rust/operator-binary/src/controller.rs
assert!(access_control_config.contains("opa.allow-permission-management-operations=false"));
assert!(access_control_config.contains(r#"opa.policy.batched-uri=http\://simple-opa.default.svc.cluster.local\:8081/v1/data/my-product/batch-new"#));
assert!(access_control_config.contains(r#"opa.policy.column-masking-uri=http\://simple-opa.default.svc.cluster.local\:8081/v1/data/my-product/columnMask"#));
assert!(access_control_config.contains(r#"opa.policy.batch-column-masking-uri=http\://simple-opa.default.svc.cluster.local\:8081/v1/data/my-product/batchColumnMasks"#));
Copy link
Member

@siegfriedweber siegfriedweber Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test case tests configOverrides. Perhaps you could override the batch-column-masking-uri?

docs/modules/trino/pages/usage-guide/overrides.adoc
* `access-control.properties`
* `config.properties`
* `node.properties`
* `password-authenticator.properties`
Copy link
Member

@siegfriedweber siegfriedweber Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the file password-authenticator.properties exist and can it really be overridden?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@siegfriedweber siegfriedweber siegfriedweber requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@xeniape xeniape

Labels

None yet

Projects

Stackable Engineering
Status: Development: In Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Batch OPA column masks calls

3 participants

@xeniape @siegfriedweber