Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support filters to protect Trino endpoints #591

Open
vishalya opened this issue Jan 16, 2025 · 1 comment
Open

Support filters to protect Trino endpoints #591

vishalya opened this issue Jan 16, 2025 · 1 comment

Comments

@vishalya
Copy link
Member

Overview
The goal is to add a flexible and customizable security layer to Trino endpoints by allowing developers to define and apply
multiple filters to incoming requests. This will enable additional protection for Trino services exposed over the internet.

Filtering Mechanism

  1. Provider Module: Create a separate module responsible for dynamically loading filter providers. Each provider will be
    responsible for creating instances of specific filter classes.
  2. Main Filter: Introduce a main filter class that will serve as an orchestrator, calling multiple filters in a
    predetermined order (e.g., based on priority or category). This main filter will delegate the actual filtering to individual
    filter instances.

Filter Structure

  1. Filter Interface: Define an abstract interface for filters, specifying the filter method signature. This method will
    take a request object as input and return a boolean indicating whether the request is allowed to proceed.
  2. Concrete Filters: Create various concrete filter classes implementing the Filter Interface. These can be specific to
    different use cases or security requirements (e.g., IP address filtering, rate limiting, authentication).

Main Filter
We can borrow the ideas from other REST frameworks along the lines of

  1. Filter Chain: In the main filter class, maintain a collection of registered filters in a predefined order.
  2. Request Processing: Upon receiving a request, pass it through each filter in sequence. If any filter returns false,
    stop processing and return an error response.
  3. Allowing the request: If all filters allow the request to proceed, forward it to the Trino backend.

Provider Module

  1. Filter Registration: The provider module will be responsible for registering instances of concrete filter classes with
    the main filter.
  2. Dynamic Loading: Load filter providers dynamically based on configuration or user input (e.g., via a configuration file
    or command-line arguments).
@mosabua
Copy link
Member

mosabua commented Jan 17, 2025
edited
Loading

I think this would be great and is in line with earlier discussion about figuring out how to adapt access control code from Trino into the Trino Gateway .. this specific filtering can also be done independently at first with some simple configuration. We should discuss this more but in general 👍

@mosabua mosabua changed the title Support filters to protect trino endpoints Support filters to protect Trino endpoints Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mosabua @vishalya