Investigate restricting third-party access to user's container

[rohank07]

Able to create table and insert data into another user's blob container. Investigate either at Trino/Azure level to restrict access using the blob URI.

[rohank07]

Disabling these properties hive.non-managed-table-creates-enabled=false hive.non-managed-table-writes-enabled=false does not allow you to specify external_location on the CREATE TABLE query.
We would want user to create internal (managed) table rather than external (non-managed). We don't reference files on remote locations. https://ahana.io/answers/what-is-the-difference-between-a-managed-table-and-external-tables/

The only issue remains is the location specified on CREATE SCHEMA query. A user can still run this and Create a table and insert into another user's container.
CREATE SCHEMA unclassified.rohankatkar WITH (location = 'wasbs://jose-matsuda@aawdevcc00samgstandard.blob.core.windows.net/');

Write a controller that uses the Trino client REST API to pre-create schemas.

[rohank07]

Confirmation ✔️ : Unable to run CREATE TABLE query when specifiying property location

[rohank07]

Todo: Write a controller in aaw-kubeflow-profiles-controller to create schemas using Trino Client REST API
Example command:
curl --header "X-Trino-User: rohan-katkar" --header "X-Trino-Catalog: unclassified" --header "X-Trino-Set-Set-Session" --request POST --data 'CREATE SCHEMA IF NOT EXISTS unclassified.rohankatkar WITH (location = '\''wasbs://rohan-katkar@aawdevcc00samgstandard.blob.core.windows.net/'\'')' https://trino.aaw-dev.cloud.statcan.ca/v1/statement

[rohank07]

Apache Ranger will be able to resolve this type of use case. There is a trino-ranger plugin in the works: trinodb/trino#13297

[rohank07]

Closing. Going to create another task for schema profiles controller in next sprint.