From f9aa9c19f3a185145f72e42c62b4ad32cb349745 Mon Sep 17 00:00:00 2001 From: Maxi Wittich Date: Thu, 23 Jan 2025 14:44:12 +0100 Subject: [PATCH 1/3] Updating opa to 1.0.0 --- stacks/end-to-end-security/opa.yaml | 2 +- stacks/keycloak-opa-poc/opa.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stacks/end-to-end-security/opa.yaml b/stacks/end-to-end-security/opa.yaml index 371966e0..b91e4f03 100644 --- a/stacks/end-to-end-security/opa.yaml +++ b/stacks/end-to-end-security/opa.yaml @@ -5,7 +5,7 @@ metadata: name: opa spec: image: - productVersion: 0.67.1 + productVersion: 1.0.0 clusterConfig: userInfo: backend: diff --git a/stacks/keycloak-opa-poc/opa.yaml b/stacks/keycloak-opa-poc/opa.yaml index bcd2919f..ed7282b0 100644 --- a/stacks/keycloak-opa-poc/opa.yaml +++ b/stacks/keycloak-opa-poc/opa.yaml @@ -5,7 +5,7 @@ metadata: name: opa spec: image: - productVersion: 0.67.1 + productVersion: 1.0.0 servers: roleGroups: default: {} From 93315f9f448bd82280896585a8c9a62049693a51 Mon Sep 17 00:00:00 2001 From: Maxi Wittich Date: Fri, 24 Jan 2025 11:00:29 +0100 Subject: [PATCH 2/3] Addressing feedback --- stacks/data-lakehouse-iceberg-trino-spark/trino.yaml | 2 +- stacks/dual-hive-hdfs-s3/trino.yaml | 2 +- stacks/trino-iceberg/trino.yaml | 2 +- stacks/trino-superset-s3/trino.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/stacks/data-lakehouse-iceberg-trino-spark/trino.yaml b/stacks/data-lakehouse-iceberg-trino-spark/trino.yaml index 6ba799fd..3f3aa38a 100644 --- a/stacks/data-lakehouse-iceberg-trino-spark/trino.yaml +++ b/stacks/data-lakehouse-iceberg-trino-spark/trino.yaml @@ -114,7 +114,7 @@ metadata: name: opa spec: image: - productVersion: 0.67.1 + productVersion: 1.0.0 servers: roleGroups: default: {} diff --git a/stacks/dual-hive-hdfs-s3/trino.yaml b/stacks/dual-hive-hdfs-s3/trino.yaml index 08936df3..b47988a6 100644 --- a/stacks/dual-hive-hdfs-s3/trino.yaml +++ b/stacks/dual-hive-hdfs-s3/trino.yaml @@ -86,7 +86,7 @@ metadata: name: opa spec: image: - productVersion: 0.67.1 + productVersion: 1.0.0 servers: roleGroups: default: diff --git a/stacks/trino-iceberg/trino.yaml b/stacks/trino-iceberg/trino.yaml index b826b798..bc3ff14e 100644 --- a/stacks/trino-iceberg/trino.yaml +++ b/stacks/trino-iceberg/trino.yaml @@ -99,7 +99,7 @@ metadata: name: opa spec: image: - productVersion: 0.67.1 + productVersion: 1.0.0 servers: roleGroups: default: diff --git a/stacks/trino-superset-s3/trino.yaml b/stacks/trino-superset-s3/trino.yaml index 04a61a7e..9b1591b9 100644 --- a/stacks/trino-superset-s3/trino.yaml +++ b/stacks/trino-superset-s3/trino.yaml @@ -71,7 +71,7 @@ metadata: name: opa spec: image: - productVersion: 0.67.1 + productVersion: 1.0.0 servers: roleGroups: default: {} From d6667ca263fd24470803a862c439d377f0f17e0a Mon Sep 17 00:00:00 2001 From: Maxi Wittich Date: Fri, 24 Jan 2025 11:04:58 +0100 Subject: [PATCH 3/3] Removing import rego.V1 --- docs/modules/demos/pages/end-to-end-security.adoc | 4 ---- stacks/data-lakehouse-iceberg-trino-spark/trino.yaml | 2 -- stacks/dual-hive-hdfs-s3/trino.yaml | 2 -- stacks/end-to-end-security/hdfs-regorules.yaml | 2 -- stacks/end-to-end-security/trino-policies.yaml | 2 -- stacks/end-to-end-security/trino-regorules.yaml | 10 ---------- stacks/keycloak-opa-poc/policies.yaml | 2 -- stacks/trino-iceberg/trino.yaml | 2 -- stacks/trino-superset-s3/trino.yaml | 2 -- 9 files changed, 28 deletions(-) diff --git a/docs/modules/demos/pages/end-to-end-security.adoc b/docs/modules/demos/pages/end-to-end-security.adoc index 63f011e6..e9ef9c9b 100644 --- a/docs/modules/demos/pages/end-to-end-security.adoc +++ b/docs/modules/demos/pages/end-to-end-security.adoc @@ -227,8 +227,6 @@ The ACLs configuring this behavior (written with the {rego}[Rego language]) on t ---- package trino_policies -import rego.v1 - policies := { "tables": [ { @@ -270,8 +268,6 @@ The Rego rule for this behavior looks like this (again a snippet from the {trino ---- package trino_policies -import rego.v1 - policies := { "tables": [ { diff --git a/stacks/data-lakehouse-iceberg-trino-spark/trino.yaml b/stacks/data-lakehouse-iceberg-trino-spark/trino.yaml index 3f3aa38a..1a75987d 100644 --- a/stacks/data-lakehouse-iceberg-trino-spark/trino.yaml +++ b/stacks/data-lakehouse-iceberg-trino-spark/trino.yaml @@ -129,8 +129,6 @@ data: trino.rego: | package trino - import rego.v1 - default allow = false # Allow non-batched access diff --git a/stacks/dual-hive-hdfs-s3/trino.yaml b/stacks/dual-hive-hdfs-s3/trino.yaml index b47988a6..8b38a9f7 100644 --- a/stacks/dual-hive-hdfs-s3/trino.yaml +++ b/stacks/dual-hive-hdfs-s3/trino.yaml @@ -102,8 +102,6 @@ data: trino.rego: | package trino - import rego.v1 - default allow = false # Allow non-batched access diff --git a/stacks/end-to-end-security/hdfs-regorules.yaml b/stacks/end-to-end-security/hdfs-regorules.yaml index 6ee70e11..9736e6d6 100644 --- a/stacks/end-to-end-security/hdfs-regorules.yaml +++ b/stacks/end-to-end-security/hdfs-regorules.yaml @@ -9,8 +9,6 @@ data: hdfs.rego: | package hdfs - import rego.v1 - default allow := false default matches_identity(identity) := false diff --git a/stacks/end-to-end-security/trino-policies.yaml b/stacks/end-to-end-security/trino-policies.yaml index bb5df220..58f35054 100644 --- a/stacks/end-to-end-security/trino-policies.yaml +++ b/stacks/end-to-end-security/trino-policies.yaml @@ -9,8 +9,6 @@ data: trino_policies.rego: | package trino_policies - import rego.v1 - policies := { "catalogs": [ # Needed to bootstrap schemas and tables diff --git a/stacks/end-to-end-security/trino-regorules.yaml b/stacks/end-to-end-security/trino-regorules.yaml index 4a1afd9f..a1d68a2a 100644 --- a/stacks/end-to-end-security/trino-regorules.yaml +++ b/stacks/end-to-end-security/trino-regorules.yaml @@ -11,7 +11,6 @@ data: package trino import data.util - import rego.v1 # This file contains functions to determine the actual permissions # defined in the Trino policies for the given user and requested @@ -36,7 +35,6 @@ data: # # Example: # package trino_policies - # import rego.v1 # extra_groups := groups if { # request := { # "method": "POST", @@ -579,7 +577,6 @@ data: package trino import data.util - import rego.v1 # The final policies are a combination of policies offered by Stackable, # policies provided externally, and default policies. @@ -596,7 +593,6 @@ data: # # Example: # package trino_policies - # import rego.v1 # policies := { # "catalogs": [ # { @@ -757,8 +753,6 @@ data: requested_permissions.rego: | package trino - import rego.v1 - # This file contains the requested_permissions rule which returns a set # of required permissions for the given operation including the # requested resource. Operations with the same set of required @@ -1439,8 +1433,6 @@ data: # - data.trino_policies.policies: schema.policies package trino - import rego.v1 - # METADATA # description: | # Entry point for OPA policies, configured in the Trino property @@ -1780,8 +1772,6 @@ data: # description: Utility package which extends the built-in functions package util - import rego.v1 - # METADATA # description: | # Matches the entire string against a regular expression. diff --git a/stacks/keycloak-opa-poc/policies.yaml b/stacks/keycloak-opa-poc/policies.yaml index cfaeb799..a43a3803 100644 --- a/stacks/keycloak-opa-poc/policies.yaml +++ b/stacks/keycloak-opa-poc/policies.yaml @@ -8,7 +8,6 @@ metadata: data: trino.rego: | package trino - import rego.v1 default allow = false @@ -31,7 +30,6 @@ data: druid.rego: | package druid import data.bundles.opagroups.admins - import rego.v1 default allow = false diff --git a/stacks/trino-iceberg/trino.yaml b/stacks/trino-iceberg/trino.yaml index bc3ff14e..d5ed2791 100644 --- a/stacks/trino-iceberg/trino.yaml +++ b/stacks/trino-iceberg/trino.yaml @@ -115,8 +115,6 @@ data: trino.rego: | package trino - import rego.v1 - default allow = false # Allow non-batched access diff --git a/stacks/trino-superset-s3/trino.yaml b/stacks/trino-superset-s3/trino.yaml index 9b1591b9..378a2f4d 100644 --- a/stacks/trino-superset-s3/trino.yaml +++ b/stacks/trino-superset-s3/trino.yaml @@ -86,8 +86,6 @@ data: trino.rego: | package trino - import rego.v1 - default allow = false # Allow non-batched access