Skip to content

Setup for Access Management for Trino

Configure

Perform following steps to configure Trino plugin:

  1. SSH into the instance where Privacera Manager is installed.

  2. Run the following command to navigate to the /config directory and copy yml files:

    Bash
    1
2
    cd ~/privacera/privacera-manager/config
cp sample-vars/vars.trino.opensource.yml custom-vars/vars.trino.opensource.yml

  3. Modify the following properties:
    • Update the vars.trino.opensource.yml file as follows:
      YAML
      1
2
3
      TRINO_USER_HOME: "/home/trino"
TRINO_INSTALL_DIR_NAME: "/usr/lib/trino"
TRINO_CONFIG_DIR: "/etc/trino"

  4. After configuring the properties, start the connector by executing the following instructions:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  5. Copy privacera_trino_setup.sh and privacera_trino_plugin_conf.zip to the same location as the Dockerfile.

  6. Edit privacera_trino_setup.sh file to comment out wget and add curl command as shown below:

    Bash
    1
2
3
    #wget ${PRIVACERA_BASE_DOWNLOAD_URL}/${PRIVACERA_PKG_NAME} -O ${PRIVACERA_PKG_NAME}

curl ${PRIVACERA_BASE_DOWNLOAD_URL}/${PRIVACERA_PKG_NAME} -o ${PRIVACERA_PKG_NAME}

Create Entrypoint.sh Script

  • Run the following command to create and edit entrypoint.sh file:

    Bash
    1
2
3
4
    mkdir ~/privacera-trino-plugin
cd ~/privacera-trino-plugin

vi entrypoint.sh

  • Add the following content in the entrypoint.sh file:

    Bash
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
    #!/bin/bash
set -eo pipefail

set -x

TRINO_CONFIG_FILE="/etc/trino/config.properties"
# Check if the file exists
if [ ! -e "$TRINO_CONFIG_FILE" ]; then
    echo "File not found: $TRINO_CONFIG_FILE"
    exit 1
fi

# Copy the config files from the mounted volume to the trino config directory
# except jvm.config (to support trino 459 and above)
find /trino_config/ -mindepth 1 ! -name 'jvm.config' -exec cp -r {} /etc/trino/ \;
cd /home/trino/

# Check if the coordinator node and install the plugin
if grep -q "^coordinator=true$" "$TRINO_CONFIG_FILE"; then
    echo "It is a coordinator node, Installing trino plugin"
    ./privacera_trino_setup.sh
fi

# Start the trino server
/usr/lib/trino/bin/run-trino

set -- tail -f /dev/null

exec "$@"

Create Dockerfile

Create the file in the same directory as the entrypoint.sh script.

  • Run the following command to create and edit the Dockerfile:
    Bash
    1
2
3
    cd ~/privacera-trino-plugin

vi Dockerfile
  • Add the following content in the Dockerfile:
    Bash
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
    # Define Trino version
ARG TRINO_VERSION=<trino_version>

# Use a base image to install necessary packages
FROM registry.access.redhat.com/ubi9/ubi:latest AS downloader

# Install the necessary packages
RUN dnf install -y zip findutils

# Trino base image
FROM trinodb/trino:${TRINO_VERSION}

# Set the user
USER root

## curl
COPY --from=downloader /usr/bin/curl /usr/bin/
COPY --from=downloader /usr/lib64/ /usr/lib64/
COPY --from=downloader /etc/pki/tls/certs/ca-bundle.trust.crt /etc/pki/tls/certs/
COPY --from=downloader /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/
RUN curl --version

## zip
COPY --from=downloader /usr/bin/zip /usr/bin/
RUN zip --version

## unzip
COPY --from=downloader /usr/bin/unzip /usr/bin/
RUN unzip

## gzip
COPY --from=downloader /usr/bin/gzip /usr/bin/
RUN gzip --version

## findutils
COPY --from=downloader /usr/bin/find /usr/bin/
COPY --from=downloader /usr/bin/xargs /usr/bin/
RUN find --version

## sed
COPY --from=downloader /usr/bin/sed /usr/bin/
RUN sed --version

## grep
COPY --from=downloader /usr/bin/grep /usr/bin/
RUN grep --version

## awk
COPY --from=downloader /usr/bin/awk /usr/bin/
RUN awk --version

# Copy Privacera Trino Plugin configuration and setup script
COPY privacera_trino_setup.sh /home/trino
COPY privacera_trino_plugin_conf.zip /home/trino

# Set permissions and ownership
RUN chmod +x /home/trino/privacera_trino_setup.sh
RUN chown trino:trino /home/trino/privacera_trino_setup.sh
RUN chown trino:trino /home/trino/privacera_trino_plugin_conf.zip

# Create ranger directory
RUN mkdir -p /etc/ranger
RUN chown -R trino:trino /etc/ranger

# Create entrypoint directory
RUN mkdir /entrypoint

# Copy the entrypoint script
COPY entrypoint.sh /entrypoint

# Set execute permissions for the entrypoint script
RUN chmod +x /entrypoint/entrypoint.sh

# Set the entrypoint
ENTRYPOINT ["/entrypoint/entrypoint.sh"]

# Set the user
USER trino:trino

Enable Trino Application

  1. In PrivaceraCloud, navigate to Settings -> Applications.
  2. On the Applications screen, select Trino.
  3. Enter the application Name and Click Save. You can choose any name, for example, Trino.
  4. Enable the Access Management option with toggle button.
  5. Click on Save button.

Create Entrypoint.sh Script

  • Run the following command to create and edit entrypoint.sh file:

    Bash
    1
2
3
4
    mkdir ~/privacera-trino-plugin
cd ~/privacera-trino-plugin

vi entrypoint.sh

  • Add the following content in the entrypoint.sh file:

    entrypoint.sh
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
    #!/bin/bash
set -eo pipefail

set -x

TRINO_CONFIG_FILE="/etc/trino/config.properties"
# Check if the file exists
if [ ! -e "$TRINO_CONFIG_FILE" ]; then
    echo "File not found: $TRINO_CONFIG_FILE"
    exit 1
fi

# Copy the config files from the mounted volume to the trino config directory
# except jvm.config (to support trino 459 and above)
find /trino_config/ -mindepth 1 ! -name 'jvm.config' -exec cp -r {} /etc/trino/ \;
cd /home/trino/

# Check if the coordinator node and install the plugin
if grep -q "^coordinator=true$" "$TRINO_CONFIG_FILE"; then
    echo "It is a coordinator node, Installing trino plugin"

    if [ -z "${PCLOUD_PLUGIN_SCRIPT_URL}" ]; then
        echo "ERROR: PCLOUD_PLUGIN_SCRIPT_URL is not set"
        exit 1
    fi

    curl -fSL "${PCLOUD_PLUGIN_SCRIPT_URL}" -o /home/trino/privacera_plugin.sh
    chmod +x /home/trino/privacera_plugin.sh

    ./privacera_plugin.sh
fi

# Start the trino server
if ! grep -q "^coordinator=true$" "$TRINO_CONFIG_FILE"; then
    /usr/lib/trino/bin/run-trino
fi

set -- tail -f /dev/null

exec "$@"

Create Dockerfile

Create the file in the same location as the entrypoint.sh script.

  • Run the following command to create and edit Dockerfile:

    Bash
    1
2
3
    cd ~/privacera-trino-plugin

vi Dockerfile

  • Add the following content in the Dockerfile:

    Dockerfile
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
    # Define Trino version
ARG TRINO_VERSION=<trino_version>

# Use a base image to install necessary packages
FROM registry.access.redhat.com/ubi9/ubi:latest AS downloader

# Install the necessary packages
RUN dnf install -y zip findutils wget

# Trino base image
FROM trinodb/trino:${TRINO_VERSION}

# Set the user
USER root

## Declare required environment variables
ENV PLUGIN_TYPE="trino"
ENV TRINO_HOME_FOLDER=/usr/lib/trino
ENV TRINO_CONFIG_DIR=/etc/trino

## curl
COPY --from=downloader /usr/bin/curl /usr/bin/
COPY --from=downloader /usr/lib64/ /usr/lib64/
COPY --from=downloader /etc/pki/tls/certs/ca-bundle.trust.crt /etc/pki/tls/certs/
COPY --from=downloader /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/
RUN curl --version

## zip
COPY --from=downloader /usr/bin/zip /usr/bin/
RUN zip --version

## unzip
COPY --from=downloader /usr/bin/unzip /usr/bin/
RUN unzip

## gzip
COPY --from=downloader /usr/bin/gzip /usr/bin/
RUN gzip --version

## findutils
COPY --from=downloader /usr/bin/find /usr/bin/
COPY --from=downloader /usr/bin/xargs /usr/bin/
RUN find --version

## sed
COPY --from=downloader /usr/bin/sed /usr/bin/
RUN sed --version

## grep
COPY --from=downloader /usr/bin/grep /usr/bin/
RUN grep --version

## awk
COPY --from=downloader /usr/bin/awk /usr/bin/
RUN awk --version

## wget
COPY --from=downloader /usr/bin/wget /usr/bin/
RUN wget --version

# Create ranger directory
RUN mkdir -p /etc/ranger
RUN chown -R trino:trino /etc/ranger

# Create entrypoint directory
RUN mkdir /entrypoint

# Copy the entrypoint script
COPY entrypoint.sh /entrypoint

# Set execute permissions for the entrypoint script
RUN chmod +x /entrypoint/entrypoint.sh

# Set the entrypoint
ENTRYPOINT ["/entrypoint/entrypoint.sh"]

# Set the user
USER trino:trino

Build the Docker Image

  • Run the following command to build the Docker image:
    Bash
    1
    docker build -t privacera-trino:latest .

Push the Docker Image to the Remote Hub

  • Use your internal HUB to publish the image.

Create a Namespace

  • Run the following command to create a namespace.
    Bash
    1
    kubectl create namespace <TRINO_NAMESPACE>

Create Kubernetes secret

Applicable for PCloud based Trino deployment only

  • Obtain the PCLOUD_PLUGIN_SCRIPT_URL from PrivaceraCloudSettingsAPI Keys (click the ℹ️ icon to copy the Plugin Setup Script URL).
  • Create a Kubernetes secret for the Privacera plugin setup script URL. Run the following command:
    Bash
    1
2
    kubectl -n <TRINO_NAMESPACE> create secret generic privacera-api-key-secret \
--from-literal=PCLOUD_PLUGIN_SCRIPT_URL="<PCLOUD_PLUGIN_SCRIPT_URL>"

Create Docker Image Secret

  • To create an image secret, Use and run the command according to your requirements.

Add the Trino Helm Chart Repository

  • Run the following command to add the Trino Helm chart repository:
    Bash
    1
    helm repo add trino https://trinodb.github.io/charts/

Create YAML Deployment File to Override the Default Values

  • Run the following command to create and edit the values.yaml file:

    Bash
    1
2
3
    cd ~/privacera-trino-plugin

vi values.yaml

  • Add the following content to the values.yaml file based on deployment environment:

    values.yaml
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
    image:
    repository: <TRINO_IMAGE_REPOSITORY>
    pullPolicy: Always
    # Overrides the image tag whose default is the chart version.
    # Same value as Chart.yaml#appVersion
    tag: <TRINO_IMAGE_TAG>


# Optional
imagePullSecrets:
  - name: <TRINO_IMAGE_PULL_SECRET_NAME>

server:
  workers: 1
  config:
    path: /trino_config

service:
  host: "trino"
    values.yaml
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
    image:
    repository: <TRINO_IMAGE_REPOSITORY>
    pullPolicy: Always
    # Overrides the image tag whose default is the chart version.
    # Same value as Chart.yaml#appVersion
    tag: <TRINO_IMAGE_TAG>


# Optional
imagePullSecrets:
  - name: <TRINO_IMAGE_PULL_SECRET_NAME>

env:
  - name: PCLOUD_PLUGIN_SCRIPT_URL
    valueFrom:
      secretKeyRef:
        name: privacera-api-key-secret
        key: PCLOUD_PLUGIN_SCRIPT_URL

server:
  workers: 1
  config:
    path: /trino_config

service:
  host: "trino"

Install Trino on Kubernetes Cluster

  • Run the following command to install Trino on the Kubernetes cluster:
    Bash
    1
    helm install -f values.yaml privacera-trino-cluster trino/trino --namespace=<TRINO_NAMESPACE>