diff --git a/stacks/end-to-end-security/hive-metastore-regorules.yaml b/stacks/end-to-end-security/hive-metastore-regorules.yaml new file mode 100644 index 00000000..86c73e4b --- /dev/null +++ b/stacks/end-to-end-security/hive-metastore-regorules.yaml @@ -0,0 +1,72 @@ +--- +# {% raw %} +apiVersion: v1 +kind: ConfigMap +metadata: + name: hive-metastore-regorules + labels: + opa.stackable.tech/bundle: "true" +data: + hive-metastore.rego: | + package hive_iceberg + + trino_user := "trino" + spark_user := "spark" + customer_analytics_db := "customer_analytics" + compliance_analytics_db := "compliance_analytics" + + default database_allow = false + default table_allow = false + default column_allow = false + default partition_allow = false + default user_allow = false + + ### SPARK ### + # These rules are tailored for the create-spark-report job. + + # Allow the spark user access to the 'customer_analytics_db' + database_allow if { + input.identity.username == spark_user + input.resources.database.name == customer_analytics_db + } + + # Allow the 'SELECT * FROM lakehouse.customer_analytics.customer' query in create-spark-report + table_allow if { + input.identity.username == spark_user + input.resources.table.dbName == customer_analytics_db + input.resources.table.tableName == "customer" + input.privileges.readRequiredPriv[0].priv == "SELECT" + } + + # Allow the 'CREATE TABLE IF NOT EXISTS lakehouse.customer_analytics.spark_report AS SELECT c_birth_country, count(*) FROM ..' + # query in create-spark-report + table_allow if { + input.identity.username == spark_user + input.resources.table.dbName == customer_analytics_db + input.resources.table.tableName == "spark_report" + input.privileges.writeRequiredPriv[0].priv == "CREATE" + } + + ### TRINO ### + # We allow everything here for the technical trino user in order to still do data exploration + database_allow if { + input.identity.username == trino_user + } + + table_allow if { + input.identity.username == trino_user + } + + column_allow if { + input.identity.username == trino_user + } + + partition_allow if { + input.identity.username == trino_user + } + + user_allow if { + input.identity.username == trino_user + } + +# {% endraw %} diff --git a/stacks/end-to-end-security/hive-metastore.yaml b/stacks/end-to-end-security/hive-metastore.yaml index e1c08899..a15b9962 100644 --- a/stacks/end-to-end-security/hive-metastore.yaml +++ b/stacks/end-to-end-security/hive-metastore.yaml @@ -7,6 +7,10 @@ spec: image: productVersion: 4.0.0 clusterConfig: + authorization: + opa: + configMapName: opa + package: hive_iceberg database: connString: jdbc:postgresql://postgresql-hive-iceberg:5432/hive credentialsSecret: postgres-credentials diff --git a/stacks/end-to-end-security/opa.yaml b/stacks/end-to-end-security/opa.yaml index cb8bd725..ec46fd74 100644 --- a/stacks/end-to-end-security/opa.yaml +++ b/stacks/end-to-end-security/opa.yaml @@ -25,6 +25,10 @@ spec: logging: containers: opa: + console: + level: INFO + file: + level: INFO loggers: decision: level: INFO diff --git a/stacks/stacks-v2.yaml b/stacks/stacks-v2.yaml index 508753a1..3702de14 100644 --- a/stacks/stacks-v2.yaml +++ b/stacks/stacks-v2.yaml @@ -589,6 +589,7 @@ stacks: - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/stacks/end-to-end-security/hdfs.yaml - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/stacks/end-to-end-security/hdfs-regorules.yaml - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/stacks/end-to-end-security/hive-metastore.yaml + - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/stacks/end-to-end-security/hive-metastore-regorules.yaml - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/stacks/end-to-end-security/trino.yaml - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/stacks/end-to-end-security/trino-regorules.yaml - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/stacks/end-to-end-security/trino-policies.yaml