chore: Update Trino Rego rules and disable column masking otherwise

stacks/airflow/trino.yaml

@@ -14,6 +14,7 @@ spec:
       - authenticationClass: trino-users
     authorization:
       opa:
+        enableColumnMasking: false
         configMapName: opa
         package: trino
     tls:

stacks/data-lakehouse-iceberg-trino-spark/trino.yaml

@@ -14,6 +14,7 @@ spec:
       - authenticationClass: trino-users
     authorization:
       opa:
+        enableColumnMasking: false
         configMapName: opa
         package: trino
   coordinators:

stacks/end-to-end-security/trino-regorules.yaml

@@ -1412,6 +1412,7 @@ data:
     #     - allow
     #     - batch
     #     - columnMask
+    #     - batchColumnMasks
     #     - rowFilters
     #   These rules use the rules and functions in requested_permission.rego
     #   and actual_permissions.rego to calculate the result.
@@ -1655,6 +1656,7 @@ data:
     #           "schemaName": "schema",
     #           "tableName": "table",
     #           "columnName": "column",
+    #           "columnType": "varchar",
     #         },
     #       },
     #     },
@@ -1709,6 +1711,90 @@ data:
       column_mask := {"expression": column.mask}
     }
 
+    # METADATA
+    # description: |
+    #   Entry point for fetching column masks in batch, configured in the
+    #   Trino property `opa.policy.batch-column-masking-uri`.
+    #
+    #   The input has the following form:
+    #
+    #   {
+    #     "action": {
+    #       "operation": "GetColumnMasks",
+    #       "filterResources": [{
+    #         "column": {
+    #           "catalogName": "catalog",
+    #           "schemaName": "schema",
+    #           "tableName": "table",
+    #           "columnName": "column",
+    #           "columnType": "varchar",
+    #         }},
+    #         {"column": ...},
+    #         ...
+    #       ],
+    #     },
+    #     "context": {
+    #       "identity": {
+    #         "groups": ["group1", ...],
+    #         "user": "username",
+    #       },
+    #       "softwareStack": {"trinoVersion": "455"},
+    #     }
+    #   }
+    #
+    #   The batchColumnMask rule queries the column constraints in the
+    #   Trino policies for each of the resources in the "filterResources"
+    #   list of the request and returns a list of viewExpressions, containing
+    #   the column mask if any set and optionally the identity for the mask
+    #   evaluation, and the index of the corresponding resource in the
+    #   "filterResources" list of the request.
+    #   A column mask is an SQL expression,
+    #   e.g. "'XXX-XX-' + substring(credit_card, -4)".
+    # entrypoint: true
+    batchColumnMasks contains column_mask if {
+      input.action.operation == "GetColumnMask"
+      some index, resource in input.action.filterResources
+
+      column := column_constraints(
+        resource.column.catalogName,
+        resource.column.schemaName,
+        resource.column.tableName,
+        resource.column.columnName,
+      )
+
+      is_string(column.mask)
+      is_string(column.mask_environment.user)
+
+      column_mask := {
+        "index": index,
+        "viewExpression": {
+          "expression": column.mask,
+          "identity": column.mask_environment.user,
+        },
+      }
+    }
+
+    batchColumnMasks contains column_mask if {
+      input.action.operation == "GetColumnMask"
+      some index, resource in input.action.filterResources
+
+      column := column_constraints(
+        resource.column.catalogName,
+        resource.column.schemaName,
+        resource.column.tableName,
+        resource.column.columnName,
+      )
+
+      is_string(column.mask)
+      is_null(column.mask_environment.user)
+
+      column_mask := {
+        "index": index,
+        "viewExpression": {"expression": column.mask},
+      }
+    }
+
+
     # METADATA
     # description: |
     #   Entry point for fetching row filters, configured in the Trino

stacks/trino-iceberg/trino.yaml

@@ -14,6 +14,7 @@ spec:
       - authenticationClass: trino-users
     authorization:
       opa:
+        enableColumnMasking: false
         configMapName: opa
         package: trino
   coordinators:

stacks/trino-superset-s3/trino.yaml

@@ -14,6 +14,7 @@ spec:
       - authenticationClass: trino-users
     authorization:
       opa:
+        enableColumnMasking: false
         configMapName: opa
         package: trino
   coordinators: