[Tracking] OPA integration 2.0

[sbernauer]

Context: We want to move from our - honestly early stage - authorizer to the one Bloomberg build.
It has a much nicer API and allows to batch multiple requests as well.

Long-term we want to have our custom CRDs e.g. TableGrant, SchemaGrant, CatalogGrant, which trino-operator consumes and automatically translates into OPA regorules similar to this, as it's rather complicated to write you own rego-rules.

Upstream PR at Trino: trinodb/trino#17940 - replaced by trinodb/trino#19532.

Row level filtering and data masking PR: bloomberg/trino#16

Current state https://github.com/sbernauer/trino/tree/add-open-policy-agent (mainline) (especially the rego rules, https://github.com/sbernauer/trino/tree/add-open-policy-agent (squashed for easier backporting) and https://github.com/sbernauer/trino/tree/414-with-opa (for 414-with-trino)

Tasks

• feat(trino): Switch to new opa authorizer in 414 docker-images#410
• feat: Switch to new opa authorizer #444
• Add a note to our opa operator readme to say that it is going to be deprecated in favor of upstream
• Update the Authorization docs page: https://docs.stackable.tech/home/stable/trino/usage-guide/security#_authorization

[maltesander]

#491 uses the upstream opa authorizer for 428 (still self build and not in the original trino image).

[lfrancke]

This is done now