Security

Authorization

OPA

Column masking

CRD configuration

apiVersion: trino.stackable.tech/v1alpha1
kind: TrinoCluster
spec:
  clusterConfig:
    authorization:
      opa:
        enableColumnMasking: true # default

Result

In the access-control.properties file, the following value is set when enableColumnMasking is set to true:

opa.policy.batch-column-masking-uri=<opa-url>/v1/data/<package>/batchColumnMasks (1) (2)

1	`<opa-url>` is read from the OPA discovery ConfigMap
2	`<package>` is read from `spec.clusterConfig.authorization.opa.package` if set, otherwise defaults to the TrinoCluster name

Considerations

The default setting for enableColumnMasking assumes a batchColumnMasks rule is defined in the Rego rules for the TrinoCluster. If no such rule is defined, Trino queries that utilize the column masking endpoint will fail.