Setup for Access Management for Starburst Trino¶

Configure¶

Self ManagedPrivaceraCloud and Data Plane

Perform following steps to configure Starburst Trino plugin:

SSH into the instance where Privacera Manager is installed.

Run the following command to navigate to the /config directory and copy yml files:

Bash
cd ~/privacera/privacera-manager/config
cp sample-vars/vars.trino.opensource.yml custom-vars/vars.trino.opensource.yml

Modify the following properties:

Update the vars.trino.opensource.yml file as follows:

vars.trino.opensource.yml
TRINO_USER_HOME: "/home/starburst"
TRINO_INSTALL_DIR_NAME: "/usr/lib/starburst"
TRINO_CONFIG_DIR: "/etc/starburst"

After configuring the properties, start the connector by executing the following instructions:

Bash
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade 

Run the following command to run the post install steps:

Bash
cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Copy Privacera Trino Plugin Configuration Files¶

Run the following command to copy required configuration files:

Bash
mkdir ~/privacera-starburst-trino-plugin
cd ~/privacera-starburst-trino-plugin

cp ~/privacera/privacera-manager/output/trino-opensource/privacera_trino_setup.sh ~/privacera-starburst-trino-plugin/
cp ~/privacera/privacera-manager/output/trino-opensource/privacera_trino_plugin_conf.zip ~/privacera-starburst-trino-plugin/

Create `entrypoint.sh` Script¶

Run the following command to create and edit entrypoint.sh file:
Bash
1 2
cd ~/privacera-starburst-trino-plugin vi entrypoint.sh

Add the following content in the entrypoint.sh file:

entrypoint.sh
#!/bin/bash
set -eo pipefail
set -x

STARBURST_CONFIG_FILE="/etc/starburst/config.properties"

# Check if the file exists
if [ ! -e "$STARBURST_CONFIG_FILE" ]; then
    echo "File not found: $STARBURST_CONFIG_FILE"
    exit 1
fi

## Add below config in jvm.config to support Starburst Trino 459 and above versions
echo "# https://bugs.openjdk.org/browse/JDK-8327134" >> /etc/starburst/jvm.config
echo "-Djava.security.manager=allow" >> /etc/starburst/jvm.config

cd /home/starburst/

# Check if the coordinator node and install the plugin
if grep -q "^coordinator=true$" "$STARBURST_CONFIG_FILE"; then
    echo "It is a coordinator node, Installing trino plugin"
    ./privacera_trino_setup.sh
fi

# Start the trino server
/usr/lib/starburst/bin/run-starburst

set -- tail -f /dev/null
exec "$@"

Create Dockerfile¶

Create the file in the same directory as the entrypoint.sh script.

Run the following command to create and edit the Dockerfile:

Bash
cd ~/privacera-starburst-trino-plugin

vi Dockerfile

Add the following content in the Dockerfile:

Dockerfile
# Define starburst version
ARG SB_TRINO_VERSION=<SB_TRINO_VERSION>

# Use a base image to install necessary packages
FROM registry.access.redhat.com/ubi9/ubi AS downloader

# Install the necessary packages
RUN dnf install -y zip findutils

# starburst image
FROM harbor.starburstdata.net/starburstdata/starburst-enterprise:${SB_TRINO_VERSION}-e

# Switch to root user to install packages
USER root

## curl
COPY --from=downloader /usr/bin/curl /usr/bin/
COPY --from=downloader /usr/lib64/ /usr/lib64/
COPY --from=downloader /etc/pki/tls/certs/ca-bundle.trust.crt /etc/pki/tls/certs/
COPY --from=downloader /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/
RUN curl --version

## zip
COPY --from=downloader /usr/bin/zip /usr/bin/
RUN zip --version

## unzip
COPY --from=downloader /usr/bin/unzip /usr/bin/
RUN unzip

## gzip
COPY --from=downloader /usr/bin/gzip /usr/bin/
RUN gzip --version

## findutils
COPY --from=downloader /usr/bin/find /usr/bin/
COPY --from=downloader /usr/bin/xargs /usr/bin/
RUN find --version

## sed
COPY --from=downloader /usr/bin/sed /usr/bin/
RUN sed --version

## grep
COPY --from=downloader /usr/bin/grep /usr/bin/
RUN grep --version

## awk
COPY --from=downloader /usr/bin/awk /usr/bin/
RUN awk --version

RUN mkdir -p /var/log/trino/ && chown -R starburst:root /var/log/trino/

RUN mkdir -p /home/starburst/

# Copy Privacera Trino Plugin configuration and setup script
COPY privacera_trino_setup.sh /home/starburst/
COPY privacera_trino_plugin_conf.zip /home/starburst/

# Set permissions and ownership
RUN chown starburst:root -R /home/starburst/privacera_trino_setup.sh
RUN chown starburst:root -R /home/starburst/privacera_trino_plugin_conf.zip

RUN mkdir -p /etc/ranger 
RUN chown -R starburst:root /etc/ranger 

# Create entrypoint directory
RUN mkdir /entrypoint

# Copy the entrypoint script
COPY entrypoint.sh /entrypoint

# Set execute permissions for the entrypoint script
RUN chmod +x /entrypoint/entrypoint.sh

# Set the entrypoint
ENTRYPOINT ["/entrypoint/entrypoint.sh"]

USER starburst:root

Enable Trino Application¶

In PrivaceraCloud, navigate to Settings -> Applications.
On the Applications screen, select Trino.
Enter the application Name and Click Save. You can choose any name, for example, Trino.
Enable the Access Management option with toggle button.
Click on Save button.

Create Entrypoint.sh Script¶

Run the following command to create and edit entrypoint.sh file:

Bash
mkdir ~/privacera-starburst-trino-plugin
cd ~/privacera-starburst-trino-plugin

vi entrypoint.sh

Add the following content in the entrypoint.sh file:

entrypoint.sh
#!/bin/bash
set -eo pipefail
set -x

STARBURST_CONFIG_FILE="/etc/starburst/config.properties"

# Check if the file exists
if [ ! -e "$STARBURST_CONFIG_FILE" ]; then
    echo "File not found: $STARBURST_CONFIG_FILE"
    exit 1
fi

## Add below config in jvm.config to support Starburst Trino 459 and above versions
echo "# https://bugs.openjdk.org/browse/JDK-8327134" >> /etc/starburst/jvm.config
echo "-Djava.security.manager=allow" >> /etc/starburst/jvm.config

cd /home/starburst/

# Check if the coordinator node and install the plugin
if grep -q "^coordinator=true$" "$STARBURST_CONFIG_FILE"; then
    echo "It is a coordinator node, Installing trino plugin"
    ./privacera_trino_setup.sh
fi

if /usr/lib/starburst/bin/launcher status --etc-dir /etc/starburst | grep -qi "running"; then
  echo "Starburst already running, not starting again."
  set -- tail -f /dev/null
  exec "$@"
fi

# Otherwise start normally
exec /usr/lib/starburst/bin/run-starburst

Create Dockerfile¶

Create the file in the same location as the entrypoint.sh script.

Run the following command to create and edit Dockerfile:

Bash
cd ~/privacera-starburst-trino-plugin

vi Dockerfile

Obtain the PCLOUD_PLUGIN_SCRIPT_URL, from PrivaceraCloud → Settings -> API Keys (Click on the icon, and you will see the option to copy the Plugins Setup Script URL).

Add the following content in the Dockerfile:

Dockerfile
# Define starburst version
ARG SB_TRINO_VERSION=<SB_TRINO_VERSION>

# Use a base image to install necessary packages
FROM registry.access.redhat.com/ubi9/ubi AS downloader

# Install the necessary packages
RUN dnf install -y zip findutils wget

# starburst image
FROM harbor.starburstdata.net/starburstdata/starburst-enterprise:${SB_TRINO_VERSION}-e

# Switch to root user to install packages
USER root

## Declare required environment variables

ENV PLUGIN_TYPE="trino"
ENV TRINO_HOME_FOLDER=/usr/lib/starburst
ENV TRINO_CONFIG_DIR=/etc/starburst

## URL to download the Privacera Trino Plugin setup script.
ARG PCLOUD_PLUGIN_SCRIPT_URL="<PCLOUD_PLUGIN_SCRIPT_URL>"

## curl
COPY --from=downloader /usr/bin/curl /usr/bin/
COPY --from=downloader /usr/lib64/ /usr/lib64/
COPY --from=downloader /etc/pki/tls/certs/ca-bundle.trust.crt /etc/pki/tls/certs/
COPY --from=downloader /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/
RUN curl --version

## zip
COPY --from=downloader /usr/bin/zip /usr/bin/
RUN zip --version

## unzip
COPY --from=downloader /usr/bin/unzip /usr/bin/
RUN unzip

## gzip
COPY --from=downloader /usr/bin/gzip /usr/bin/
RUN gzip --version

## findutils
COPY --from=downloader /usr/bin/find /usr/bin/
COPY --from=downloader /usr/bin/xargs /usr/bin/
RUN find --version

## sed
COPY --from=downloader /usr/bin/sed /usr/bin/
RUN sed --version

## grep
COPY --from=downloader /usr/bin/grep /usr/bin/
RUN grep --version

## awk
COPY --from=downloader /usr/bin/awk /usr/bin/
RUN awk --version

## wget
COPY --from=downloader /usr/bin/wget /usr/bin/
RUN wget --version

RUN mkdir -p /var/log/trino/ && chown -R starburst:root /var/log/trino/

RUN mkdir -p /home/starburst/

## Download Privacera Trino Plugin setup script
RUN curl -L ${PCLOUD_PLUGIN_SCRIPT_URL} -o /home/starburst/privacera_trino_setup.sh

# Set permissions and ownership
RUN chmod +x /home/starburst/privacera_trino_setup.sh
RUN chown starburst:root /home/starburst/privacera_trino_setup.sh

# Create ranger directory
RUN mkdir -p /etc/ranger
RUN chown -R starburst:root /etc/ranger

# Create entrypoint directory
RUN mkdir /entrypoint

# Copy the entrypoint script
COPY entrypoint.sh /entrypoint

# Set execute permissions for the entrypoint script
RUN chmod +x /entrypoint/entrypoint.sh

# Set the entrypoint
ENTRYPOINT ["/entrypoint/entrypoint.sh"]

USER starburst:root

Build the Docker Image¶

Run the following command to build the Docker image:

Bash
docker build -t privacera-starburst-trino:latest .

Push the Docker Image to the Remote HUB¶

Use your internal HUB to publish the image.

Create Starburst License File¶

Create a file containing Starburst license details, add the license key and save the file.
Bash
1 2
cd ~/privacera-starburst-trino-plugin vi starburstdata.license

Create a Namespace¶

Run the following command to create a namespace.

Bash
kubectl create namespace <STARBURST_TRINO_NAMESPACE>

Create Starburst License Secret¶

Run the following command to create a secret for Starburst license:

Bash
kubectl create secret generic starburstlicense --from-file=starburstdata.license -n <STARBURST_TRINO_NAMESPACE>

Create Docker Image Secret¶

To create an image secret, run the following command:

Bash
kubectl create secret docker-registry starburst-hub \
    --docker-server=harbor.starburstdata.net/starburstdata \
    --docker-username=<STARBURST_REPO_USER_NAME> \
    --docker-password=<STARBURST_REPO_PASSWORD> \
    -n <STARBURST_TRINO_NAMESPACE>

Verify the Secrets¶

To verify the secret, run the following command:

Bash
kubectl get secrets -n <STARBURST_TRINO_NAMESPACE>

Create `.yaml` Deployment File to Override the Default Values¶

Run the following command to create and edit the values.yaml file:
Bash
1 2
cd ~/privacera-starburst-trino-plugin vi values.yaml

Add the following content in the values.yaml file:

values.yaml
image:
    repository: <STARBURST_TRINO_IMAGE_REPOSITORY>
    pullPolicy: Always
    # Overrides the image tag whose default is the chart version.
    # Same value as Chart.yaml#appVersion
    tag: <STARBURST_TRINO_IMAGE_TAG>

imagePullSecrets:
- name: <STARBURST_TRINO_IMAGE_PULL_SECRET_NAME>

#license
starburstPlatformLicense: starburstlicense

worker:
  replicas: 1

(Optional) To enable Data Products use the following values.yaml

Note

Access control for Data Products is supported in Starburst Trino version 468 and later.

values.yaml

YAML
image:
  repository: <STARBURST_TRINO_IMAGE_REPOSITORY>
  pullPolicy: Always
  tag: <STARBURST_TRINO_IMAGE_TAG>

imagePullSecrets:
  - name: <STARBURST_TRINO_IMAGE_PULL_SECRET_NAME>

starburstPlatformLicense: starburstlicense

coordinator:
  additionalProperties: |
    # Enable HTTPS (required for Data Product)
    http-server.https.enabled=true
    http-server.https.port=8443

    http-server.authentication.type=PASSWORD

    internal-communication.https.required=true
    internal-communication.shared-secret=<INTERNAL_SHARED_SECRET>

    # Enable Data Product
    starburst.data-product.enabled=true
    data-product.starburst-jdbc-url=<STARBURST_JDBC_URL>
    data-product.starburst-user=<DATA_PRODUCT_USER>
    data-product.starburst-password=<DATA_PRODUCT_PASSWORD>

  etcFiles:
    properties:
      password-authenticator.properties: |
        password-authenticator.name=file

worker:
  replicas: 1
  additionalProperties: |
    http-server.https.enabled=true
    http-server.https.port=8443

    # Internal communication - Data Product - Prerequisites
    internal-communication.https.required=true
    internal-communication.shared-secret=<INTERNAL_SHARED_SECRET>

# Password authentication (required for Data Product)
userDatabase:
  enabled: true
  name: password.db
  users:
    - username: <DATA_PRODUCT_USER>
      password: <DATA_PRODUCT_PASSWORD>

Install Starburst Trino on Kubernetes Cluster¶

Upgrade an existing Helm release or install it if not present using the chart, version, and values file.

Bash
helm upgrade my-sep oci://harbor.starburstdata.net/starburstdata/charts/starburst-enterprise \
--version <SBT_VERSION_TAG> \
--install \
--values ./values.yaml \
--namespace <STARBURST_TRINO_NAMESPACE>

Prev topic: Connector Guide
Next topic: Advanced Configuration

Setup for Access Management for Starburst Trino¶

Configure¶

Copy Privacera Trino Plugin Configuration Files¶

Create entrypoint.sh Script¶

Create Dockerfile¶

Enable Trino Application¶

Create Entrypoint.sh Script¶

Create Dockerfile¶

Build the Docker Image¶

Push the Docker Image to the Remote HUB¶

Create Starburst License File¶

Create a Namespace¶

Create Starburst License Secret¶

Create Docker Image Secret¶

Verify the Secrets¶

Create .yaml Deployment File to Override the Default Values¶

Install Starburst Trino on Kubernetes Cluster¶

Create `entrypoint.sh` Script¶

Create `.yaml` Deployment File to Override the Default Values¶