-
Hello everyone!
After downgrading my version to 414 and 23.7 all catalogs were restored
Maybe I use wrong version of some operators? |
Beta Was this translation helpful? Give feedback.
Replies: 9 comments
-
auth param:
Opa version - 0.57.0 with 0.0.0-dev
|
Beta Was this translation helpful? Give feedback.
-
Hi @dshershov , can you see any errors about failed reconciliation for TrinoCatalog objects in the Trino Operator's log? |
Beta Was this translation helpful? Give feedback.
-
Never mind, I managed to recreate the issue and at least for me there are no log messages :) |
Beta Was this translation helpful? Give feedback.
-
I have not made much progress on this tbh - I can see Trino loading stuff for the catalogs in the log, so they are there ... I suspect this is to do with the switch to a new authorizer that happened for the 428 image. I'll talk to @maltesander tomorrow, who made that change. Maybe he has an idea. |
Beta Was this translation helpful? Give feedback.
-
Hi @dshershov! I have not tested it, but seems to me like the catalogs are loaded, but you are missing the permissions to access them. You can see the OPA rules used in integration-tests here.
|
Beta Was this translation helpful? Give feedback.
-
@sbernauer |
Beta Was this translation helpful? Give feedback.
-
You can also read on the details in the PR from Pablo: https://github.com/bloomberg/trino/blob/add-open-policy-agent/plugin/trino-opa/README.md#batch-mode |
Beta Was this translation helpful? Give feedback.
-
Added clarification in the docs here stackabletech/trino-operator#494 |
Beta Was this translation helpful? Give feedback.
-
Awesome! thanks! |
Beta Was this translation helpful? Give feedback.
Hi @dshershov!
I have not tested it, but seems to me like the catalogs are loaded, but you are missing the permissions to access them.
The new authorizer does not only have a simple check "can user foo do bar?", but also an batched API, which sends an array of (catalogs/schemas/tables) to OPA and gets a yes/no for each entry. All of that with a single OPA API call, so we can save round-trips.
You can see the OPA rules used in integration-tests here.
I guess you are missing something like