Skip to content

Always provision required Stackable Trino policies e.g. for graceful shutdown #574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sbernauer opened this issue Apr 19, 2024 · 0 comments
Closed

Always provision required Stackable Trino policies e.g. for graceful shutdown #574

sbernauer opened this issue Apr 19, 2024 · 0 comments
Labels
size/S

Comments

@sbernauer
Copy link
Member

sbernauer commented Apr 19, 2024
edited
Loading

Relevant Slack discussion

We want to provision some policies by Stackable and merge the user-provided ones on top.
This is needed e.g. for graceful shutdown, where the user admin needs the permission to initiate a graceful shutdown of workers. If the users does not allow this, graceful shutdown is broken.

We don't want to rely only on documentation ("Please allow this, please allow that" sprinkled all over the documentation), but instead make some assumptions and hard-roll those roles. E.g. we know that a.) graceful shutdown is always used b.) It's always the user admin issuing the graceful shutdown.

So the plan is something like

stackable_default_policies := { "system_information": [{"user": "admin", "allow": ["read", "write"]}], ... }

user_provided_policies := data.trino_policies.policies

policies := stackable_default_policies.union(user_provided_policies)

The Stackable default policies can be easily documented. Changes in various places in our code cannot.

If there are problematic edge cases with union then we can create our own merge function. This wouldn't be too hard because we know exactly how the structure of policies looks like.

### Tasks
- [x] https://github.com/stackabletech/trino-operator/pull/573 is updated with what we implemented and merged
- [x] The end-to-end-security is checked for graceful shutdown. It is updated to pull in the new rego rules -> https://github.com/stackabletech/demos/pull/41
@sbernauer sbernauer mentioned this issue Apr 19, 2024
Draft
@sbernauer sbernauer moved this to Ready for Development in Stackable Engineering Apr 19, 2024
@siegfriedweber siegfriedweber self-assigned this Apr 19, 2024
@siegfriedweber siegfriedweber moved this from Ready for Development to Development: Waiting for Review in Stackable Engineering Apr 19, 2024
@siegfriedweber siegfriedweber mentioned this issue Apr 19, 2024
Merged
@siegfriedweber siegfriedweber moved this from Development: Waiting for Review to Development: In Progress in Stackable Engineering Apr 19, 2024
@siegfriedweber siegfriedweber removed their assignment Apr 19, 2024
@sbernauer sbernauer moved this from Development: In Progress to Development: In Review in Stackable Engineering Apr 22, 2024
This was referenced Apr 23, 2024
Merged
Merged
@sbernauer sbernauer moved this from Development: In Review to Development: Done in Stackable Engineering Apr 24, 2024
@lfrancke lfrancke moved this from Development: Done to Done in Stackable Engineering Apr 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
size/S
Projects
Stackable Engineering
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@siegfriedweber @sbernauer