Add Trino authorization row filter functionality

- Introduced a new configuration file for Trino authorization, allowing row-level security filters to be defined for various tables.
- Implemented the loading of Trino authorization configurations from a YAML file.
- Added a new API endpoint for handling row filter requests, enabling dynamic filtering based on user permissions.
- Updated the application state to include Trino authorization configuration and integrated it into the existing request handling logic.
- Enhanced test coverage for the new row filter functionality, ensuring proper handling of various user permissions and configurations.

This commit significantly improves the PDP server's capability to enforce row-level security in Trino, enhancing data access control based on user roles and attributes.

Author: danyi1212

pdp-server/Cargo.toml

@@ -20,6 +20,7 @@ redis = { version = "0.29.2", features = ["tokio-comp", "connection-manager"] }
 reqwest = { version = "0.12.15", features = ["json"] }
 serde = { version = "1.0.219", features = ["derive"] }
 serde_json = "1.0.140"
+serde_yaml = "0.9"
 sha2 = "0.10.8"
 thiserror = "2.0.12"
 tokio = { version = "1.44.1", features = ["full"] }
@@ -33,6 +34,7 @@ openssl = { version = "0.10", features = ["vendored"] }  # Required for docker b
 async-trait = "0.1.88"
 redis-test = "0.9.0"
 reqwest = { version = "0.12.15", features = ["json"] }
+tempfile = "3.10"
 tokio = { version = "1.44.1", features = ["test-util"] }
 tower = "0.5.2"
 wiremock = "0.6.3"

pdp-server/src/api/health/checkers.rs

@@ -183,6 +183,7 @@ mod tests {
             horizon_client: Arc::new(Client::new()),
             cache: Arc::new(Cache::Null(NullCache::new())),
             watchdog: None,
+            trino_authz_config: None,
         }
     }
 

pdp-server/src/api/horizon_fallback.rs

@@ -527,6 +527,7 @@ mod tests {
             use_new_authorized_users: false,
             allow_unauthenticated_trino: false,
             healthcheck_timeout: 1.0,
+            trino_authz_config_path: "/tmp/trino-authz.yaml".to_string(),
             // Point to a non-existent server with a reserved port
             horizon: crate::config::horizon::HorizonConfig {
                 host: "127.0.0.1".to_string(),
@@ -594,6 +595,7 @@ mod tests {
             use_new_authorized_users: false,
             allow_unauthenticated_trino: false,
             healthcheck_timeout: 1.0,
+            trino_authz_config_path: "/tmp/trino-authz.yaml".to_string(),
             horizon: crate::config::horizon::HorizonConfig {
                 host: horizon_mock.address().ip().to_string(),
                 port: horizon_mock.address().port(),

pdp-server/src/api/trino/mod.rs

@@ -1,5 +1,6 @@
 pub mod allowed;
 mod checks;
+pub mod row_filter;
 pub mod schemas;
 
 use crate::state::AppState;
@@ -8,5 +9,7 @@ use axum::Router;
 
 /// Combines all Trino-related routes into a single router
 pub(super) fn router() -> Router<AppState> {
-    Router::new().route("/trino/allowed", post(allowed::allowed_handler))
+    Router::new()
+        .route("/trino/allowed", post(allowed::allowed_handler))
+        .route("/trino/row-filter", post(row_filter::row_filter_handler))
 }