Skip to content

Setup for Access Management for Starburst Trino

Configure

Perform following steps to configure Starburst Trino plugin:

  1. SSH into the instance where Privacera Manager is installed.

  2. Run the following command to navigate to the /config directory and copy yml files:

    Bash
    1
2
    cd ~/privacera/privacera-manager/config
cp sample-vars/vars.trino.opensource.yml custom-vars/vars.trino.opensource.yml

  3. Modify the following properties:
    • Update the vars.trino.opensource.yml file as follows:
      YAML
      1
2
3
      TRINO_USER_HOME: "/home/starburst"
TRINO_INSTALL_DIR_NAME: "/usr/lib/starburst"
TRINO_CONFIG_DIR: "/etc/starburst"

  4. After configuring the properties, start the connector by executing the following instructions:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Copy Privacera Trino Plugin Configuration Files

  1. Run the following command to copy required configuration files:

    Bash
    1
2
3
4
5
    mkdir ~/privacera-starburst-trino-plugin
cd ~/privacera-starburst-trino-plugin

cp ~/privacera/privacera-manager/output/trino-opensource/privacera_trino_setup.sh ~/privacera-starburst-trino-plugin/
cp ~/privacera/privacera-manager/output/trino-opensource/privacera_trino_plugin_conf.zip ~/privacera-starburst-trino-plugin/

  2. Edit privacera_trino_setup.sh file to comment out wget and add curl command as shown below:

    Bash
    1
2
3
    #wget ${PRIVACERA_BASE_DOWNLOAD_URL}/${PRIVACERA_PKG_NAME} -O ${PRIVACERA_PKG_NAME}

curl ${PRIVACERA_BASE_DOWNLOAD_URL}/${PRIVACERA_PKG_NAME} -o ${PRIVACERA_PKG_NAME}

Create entrypoint.sh Script

  • Run the following command to create and edit entrypoint.sh file:

    Bash
    1
2
    cd ~/privacera-starburst-trino-plugin
vi entrypoint.sh

  • Add the following content in the entrypoint.sh file:

    Bash
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
    #!/bin/bash
set -eo pipefail
set -x

STARBURST_CONFIG_FILE="/etc/starburst/config.properties"

# Check if the file exists
if [ ! -e "$STARBURST_CONFIG_FILE" ]; then
    echo "File not found: $STARBURST_CONFIG_FILE"
    exit 1
fi

## Add below config in jvm.config to support Starburst Trino 459 and above versions
echo "# https://bugs.openjdk.org/browse/JDK-8327134" >> /etc/starburst/jvm.config
echo "-Djava.security.manager=allow" >> /etc/starburst/jvm.config

cd /home/starburst/

# Check if the coordinator node and install the plugin
if grep -q "^coordinator=true$" "$STARBURST_CONFIG_FILE"; then
    echo "It is a coordinator node, Installing trino plugin"
    ./privacera_trino_setup.sh
fi

# Start the trino server
/usr/lib/starburst/bin/run-starburst

set -- tail -f /dev/null
exec "$@"

Create Dockerfile

Create the file in the same directory as the entrypoint.sh script.

  • Run the following command to create and edit the Dockerfile:

    Bash
    1
2
3
    cd ~/privacera-starburst-trino-plugin

vi Dockerfile

  • Add the following content in the Dockerfile:

    Bash
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
    # Define starburst version
ARG SB_TRINO_VERSION=<SB_TRINO_VERSION>

# Use a base image to install necessary packages
FROM registry.access.redhat.com/ubi9/ubi AS downloader

# Install the necessary packages
RUN dnf install -y zip findutils

# starburst image
FROM harbor.starburstdata.net/starburstdata/starburst-enterprise:${SB_TRINO_VERSION}-e

# Switch to root user to install packages
USER root

## curl
COPY --from=downloader /usr/bin/curl /usr/bin/
COPY --from=downloader /usr/lib64/ /usr/lib64/
COPY --from=downloader /etc/pki/tls/certs/ca-bundle.trust.crt /etc/pki/tls/certs/
COPY --from=downloader /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/
RUN curl --version

## zip
COPY --from=downloader /usr/bin/zip /usr/bin/
RUN zip --version

## unzip
COPY --from=downloader /usr/bin/unzip /usr/bin/
RUN unzip

## gzip
COPY --from=downloader /usr/bin/gzip /usr/bin/
RUN gzip --version

## findutils
COPY --from=downloader /usr/bin/find /usr/bin/
COPY --from=downloader /usr/bin/xargs /usr/bin/
RUN find --version

## sed
COPY --from=downloader /usr/bin/sed /usr/bin/
RUN sed --version

## grep
COPY --from=downloader /usr/bin/grep /usr/bin/
RUN grep --version

## awk
COPY --from=downloader /usr/bin/awk /usr/bin/
RUN awk --version

RUN mkdir -p /var/log/trino/ && chown -R starburst:root /var/log/trino/

RUN mkdir -p /home/starburst/

# Copy Privacera Trino Plugin configuration and setup script
COPY privacera_trino_setup.sh /home/starburst/
COPY privacera_trino_plugin_conf.zip /home/starburst/

# Set permissions and ownership
RUN chown starburst:root -R /home/starburst/privacera_trino_setup.sh
RUN chown starburst:root -R /home/starburst/privacera_trino_plugin_conf.zip

RUN mkdir -p /etc/ranger 
RUN chown -R starburst:root /etc/ranger 

# Create entrypoint directory
RUN mkdir /entrypoint

# Copy the entrypoint script
COPY entrypoint.sh /entrypoint

# Set execute permissions for the entrypoint script
RUN chmod +x /entrypoint/entrypoint.sh

# Set the entrypoint
ENTRYPOINT ["/entrypoint/entrypoint.sh"]

USER starburst:root

Build the Docker Image

  • Run the following command to build the Docker image:
    Bash
    1
    docker build -t privacera-starburst-trino:latest .

Push the Docker Image to the Remote HUB

  • Use your internal HUB to publish the image.

Create a Namespace

  • Run the following command to create a namespace.
    Bash
    1
    kubectl create namespace <STARBURST_TRINO_NAMESPACE>

Create Starburst License File

  • Create a file containing Starburst license details, add the license key and save the file.
    Bash
    1
2
    cd ~/privacera-starburst-trino-plugin
vi starburstdata.license

Create Starburst License Secret

  • Run the following command to create a secret for Starburst license:
    Bash
    1
    kubectl create secret generic starburstlicense --from-file=starburstdata.license -n <STARBURST_TRINO_NAMESPACE>

Create Docker Image Secret

  • To create an image secret, run the following command:
    Bash
    1
2
3
4
5
    kubectl create secret docker-registry starburst-hub \
    --docker-server=harbor.starburstdata.net/starburstdata \
    --docker-username=<STARBURST_REPO_USER_NAME> \
    --docker-password=<STARBURST_REPO_PASSWORD> \
    -n <STARBURST_TRINO_NAMESPACE>

Verify the Secrets

  • To verify the secret, run the following command:
    Bash
    1
    kubectl get secrets -n <STARBURST_TRINO_NAMESPACE>

Create .yaml Deployment File to Override the Default Values

  • Run the following command to create and edit the values.yaml file:

    Bash
    1
2
    cd ~/privacera-starburst-trino-plugin
vi values.yaml

  • Add the following content in the values.yaml file:

    Bash
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
    image:
    repository: <STARBURST_TRINO_IMAGE_REPOSITORY>
    pullPolicy: Always
    # Overrides the image tag whose default is the chart version.
    # Same value as Chart.yaml#appVersion
    tag: <STARBURST_TRINO_IMAGE_TAG>


imagePullSecrets:
- name: <STARBURST_TRINO_IMAGE_PULL_SECRET_NAME>

#license
starburstPlatformLicense: starburstlicense

worker:
  replicas: 1

  • (Optional) To enable Data Products use the following values.yaml

    Note

    Access control for Data Products is supported in Starburst Trino version 468 and later.

    values.yaml
    YAML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
    image:
  repository: <STARBURST_TRINO_IMAGE_REPOSITORY>
  pullPolicy: Always
  tag: <STARBURST_TRINO_IMAGE_TAG>

imagePullSecrets:
  - name: <STARBURST_TRINO_IMAGE_PULL_SECRET_NAME>

starburstPlatformLicense: starburstlicense

coordinator:
  additionalProperties: |
    # Enable HTTPS (required for Data Product)
    http-server.https.enabled=true
    http-server.https.port=8443

    http-server.authentication.type=PASSWORD

    internal-communication.https.required=true
    internal-communication.shared-secret=<INTERNAL_SHARED_SECRET>

    # Enable Data Product
    starburst.data-product.enabled=true
    data-product.starburst-jdbc-url=<STARBURST_JDBC_URL>
    data-product.starburst-user=<DATA_PRODUCT_USER>
    data-product.starburst-password=<DATA_PRODUCT_PASSWORD>

  etcFiles:
    properties:
      password-authenticator.properties: |
        password-authenticator.name=file

worker:
  replicas: 1
  additionalProperties: |
    http-server.https.enabled=true
    http-server.https.port=8443

    # Internal communication - Data Product - Prerequisites
    internal-communication.https.required=true
    internal-communication.shared-secret=<INTERNAL_SHARED_SECRET>

# Password authentication (required for Data Product)
userDatabase:
  enabled: true
  name: password.db
  users:
    - username: <DATA_PRODUCT_USER>
      password: <DATA_PRODUCT_PASSWORD>

Install Starburst Trino on Kubernetes Cluster

  1. Upgrade an existing Helm release or install it if not present using the chart, version, and values file.
    Bash
    1
2
3
4
5
    helm upgrade my-sep oci://harbor.starburstdata.net/starburstdata/charts/starburst-enterprise \
--version <SBT_VERSION_TAG> \
--install \
--values ./values.yaml \
--namespace <STARBURST_TRINO_NAMESPACE>