Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify docs for multiple access controls #24549

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+26 −26
Open

Clarify docs for multiple access controls #24549

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 23 additions & 4 deletions docs/src/main/sphinx/security/built-in-system-access-control.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,29 @@ cluster nodes:
access-control.name=allow-all
```

Multiple system access control implementations may be configured at once
using the `access-control.config-files` configuration property. It should
contain a comma separated list of the access control property files to use
(rather than the default `etc/access-control.properties`).
(multiple-access-control)=
## Multiple access control systems

Multiple system access control implementations may be configured at once using
the `access-control.config-files` configuration property. It must contain a
comma-separated list of the access control property files to use, rather than
the default `etc/access-control.properties`. Relative paths from the Trino
`INSTALL_PATH` or absolute paths are supported.

The configured access control systems are used in order until access rights are
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure about this .. also would be good to explain more with an example.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this is true, but ordering shouldn't matter. Each access control is independent from the others.

either granted or denied, and must use different types. Each system is
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is actually "access is granted if none of the access controls denies it" - or: all access controls must allow. But if there are no access controls at all, all access is allowed. That's at the engine level (which is of interest here) and not to be confused with how each individual access control works.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what you mean by "different types"?

configured in a separate configuration file.

For example, you can combine `file` access control and `ranger`
access control with the two separate configuration files `file-based.properties`
and `ranger.properties`, but you can not use two separate file-based access
control configurations.

```properties
access-control.config-files=etc/file-based.properties,etc/ranger.properties
```

## Available access control systems

Trino offers the following built-in system access control implementations:

Expand Down
13 changes: 2 additions & 11 deletions docs/src/main/sphinx/security/opa-access-control.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,17 +23,8 @@ access-control.name=opa
opa.policy.uri=https://opa.example.com/v1/data/trino/allow
```

To combine OPA access control with file-based or other access control systems,
configure multiple access control configuration file paths in
`etc/config.properties`:

```properties
access-control.config-files=etc/trino/file-based.properties,etc/trino/opa.properties
```

Order the configuration files list in the desired order of the different systems
for overall access control. Configure each access-control system in the
specified files.
To combine OPA access control with file-based or other access control
systems, follow the instructions about [](multiple-access-control).

The following table lists the configuration properties for the OPA access control:

Expand Down
12 changes: 1 addition & 11 deletions docs/src/main/sphinx/security/ranger-access-control.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,17 +25,7 @@ access-control.name=ranger
```

To combine Ranger access control with file-based or other access control
systems, create the file `etc/access-control.properties` on the coordinator,
with the following configuration that lists multiple access control
configuration file paths:

```properties
access-control.config-files=etc/trino/file-based.properties,etc/trino/ranger.properties
```

Order the configuration files list in the desired order of the different systems
for overall access control. Configure each access-control system in the
specified files.
systems, follow the instructions about [](multiple-access-control).

The following table lists the configuration properties for the Ranger access control:

Expand Down
Loading