Skip to content

Commit 1489285

Browse files
danyi1212zeevmoneyorweis
authored
Add Trino integration documentation and configuration options for PDP (#593)
* Add Trino integration documentation and configuration options for PDP * Update Trino integration documentation with specific file paths and additional security guidance * Apply suggestions from code review Co-authored-by: Or Weis <[email protected]> * improve trino docs --------- Co-authored-by: Zeev Manilovich <[email protected]> Co-authored-by: Or Weis <[email protected]> Co-authored-by: Zeev Manilovich <[email protected]>
1 parent 6378ae6 commit 1489285

File tree

4 files changed

+406
-0
lines changed

4 files changed

+406
-0
lines changed

docs/concepts/pdp/configuration.mdx

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -291,6 +291,31 @@ Default: `False`
291291

292292
If true, the `/metrics` endpoint will be accessible without authentication.
293293

294+
#### PDP_ALLOW_UNAUTHENTICATED_TRINO
295+
296+
Default: `False`
297+
298+
Expose the Trino authorization endpoints without requiring PDP authentication. When enabled, clients can reach the Trino routes without presenting an API key.
299+
300+
:::warning Warning:
301+
Trino does not currently support passing an API key or credentials when calling external authorization endpoints.
302+
As a result, you must expose the PDP's Trino authorization routes (such as `/trino/allowed`, `/trino/row-filter`, `/trino/batch-column-masking`) without authentication, by setting `PDP_ALLOW_UNAUTHENTICATED_TRINO=True`.
303+
304+
Because these endpoints are unauthenticated, **do not expose your PDP** to the public internet or any untrusted networks.
305+
Always deploy the PDP behind a firewall or within a secure, trusted network accessible only by the Trino cluster.
306+
307+
For more information, follow the [Trino issue](https://github.com/trinodb/trino/issues/27022) on this topic.
308+
:::
309+
310+
#### PDP_TRINO_AUTHZ_CONFIG_PATH
311+
312+
Default: `/app/config/trino-authz.yaml`
313+
314+
Absolute path to the YAML file that defines Trino row filters and column masking policies loaded by the PDP.
315+
If the file is absent or fails to parse, the PDP starts without additional Trino authorization rules.
316+
317+
For more information, see the [Trino integration documentation](/integrations/database-access-control/trino-integration#pdp-trino-config-file).
318+
294319
#### PDP_LOCAL_FACTS_WAIT_TIMEOUT
295320

296321
Default: `10`

docs/integrations/database-access-control/_category_.json

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
{
2+
"label": "Database-level Authorization",
3+
"position": 1,
4+
"collapsed": false,
5+
"collapsible": true
6+
}
7+

0 commit comments

Comments
 (0)