e2e-security: enable OPA for hive

stacks/end-to-end-security/hive-metastore-regorules.yaml

@@ -0,0 +1,72 @@
+---
+# {% raw %}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: hive-metastore-regorules
+  labels:
+    opa.stackable.tech/bundle: "true"
+data:
+  hive-metastore.rego: |
+    package hive_iceberg
+
+    trino_user := "trino"
+    spark_user := "spark"
+    customer_analytics_db := "customer_analytics"
+    compliance_analytics_db := "compliance_analytics"
+
+    default database_allow = false
+    default table_allow = false
+    default column_allow = false
+    default partition_allow = false
+    default user_allow = false
+
+    ### SPARK ###
+    # These rules are tailored for the create-spark-report job.
+
+    # Allow the spark user access to the 'customer_analytics_db'
+    database_allow if {
+      input.identity.username == spark_user
+      input.resources.database.name == customer_analytics_db
+    }
+
+    # Allow the 'SELECT * FROM lakehouse.customer_analytics.customer' query in create-spark-report
+    table_allow if {
+      input.identity.username == spark_user
+      input.resources.table.dbName == customer_analytics_db
+      input.resources.table.tableName == "customer"
+      input.privileges.readRequiredPriv[0].priv == "SELECT"
+    }
+
+    # Allow the 'CREATE TABLE IF NOT EXISTS lakehouse.customer_analytics.spark_report AS SELECT c_birth_country, count(*) FROM ..'
+    # query in create-spark-report
+    table_allow if {
+      input.identity.username == spark_user
+      input.resources.table.dbName == customer_analytics_db
+      input.resources.table.tableName == "spark_report"
+      input.privileges.writeRequiredPriv[0].priv == "CREATE"
+    }
+
+    ### TRINO ###
+    # We allow everything here for the technical trino user in order to still do data exploration
+    database_allow if {
+      input.identity.username == trino_user
+    }
+
+    table_allow if {
+      input.identity.username == trino_user
+    }
+
+    column_allow if {
+      input.identity.username == trino_user
+    }
+
+    partition_allow if {
+      input.identity.username == trino_user
+    }
+
+    user_allow if {
+      input.identity.username == trino_user
+    }
+
+# {% endraw %}

stacks/end-to-end-security/hive-metastore.yaml

@@ -7,6 +7,10 @@ spec:
   image:
     productVersion: 4.0.0
   clusterConfig:
+    authorization:
+      opa:
+        configMapName: opa
+        package: hive_iceberg
     database:
       connString: jdbc:postgresql://postgresql-hive-iceberg:5432/hive
       credentialsSecret: postgres-credentials

stacks/end-to-end-security/opa.yaml

@@ -25,6 +25,10 @@ spec:
       logging:
         containers:
           opa:
+            console:
+              level: INFO
+            file:
+              level: INFO
             loggers:
               decision:
                 level: INFO

stacks/stacks-v2.yaml

@@ -589,6 +589,7 @@ stacks:
       - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/stacks/end-to-end-security/hdfs.yaml
       - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/stacks/end-to-end-security/hdfs-regorules.yaml
       - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/stacks/end-to-end-security/hive-metastore.yaml
+      - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/stacks/end-to-end-security/hive-metastore-regorules.yaml
       - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/stacks/end-to-end-security/trino.yaml
       - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/stacks/end-to-end-security/trino-regorules.yaml
       - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/stacks/end-to-end-security/trino-policies.yaml