You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When Trino uses OPA for authorization, a single Trino query can generate multiple decision requests to OPA. This makes it difficult to trace which specific Trino query is responsible for a particular OPA decision log entry, hindering debugging and auditing efforts.
We propose enhancing the OPA integration to capture the Trino queryId from the security context, which is available during query lifecycle operations. This queryId should then be consistently included in the decision logs generated by OPA.
This change will significantly improve traceability by directly linking OPA decisions to their originating Trino queries. It will simplify the process of identifying queries that trigger specific authorisation outcomes, aiding in faster troubleshooting and providing a clearer audit trail for security analysis.
When Trino uses OPA for authorization, a single Trino query can generate multiple decision requests to OPA. This makes it difficult to trace which specific Trino query is responsible for a particular OPA decision log entry, hindering debugging and auditing efforts.
We propose enhancing the OPA integration to capture the Trino queryId from the security context, which is available during query lifecycle operations. This queryId should then be consistently included in the decision logs generated by OPA.
This change will significantly improve traceability by directly linking OPA decisions to their originating Trino queries. It will simplify the process of identifying queries that trigger specific authorisation outcomes, aiding in faster troubleshooting and providing a clearer audit trail for security analysis.
Here's a relevant PR - #25769
The text was updated successfully, but these errors were encountered: