SCIM#
Adds SCIM user and group synchronization to the cluster.
Usage#
License Required
This module requires a Starburst distribution and license.
Provision the module:
minitrino -e CLUSTER_VER=${version}-e provision -i starburst -m scim
Connect to the coordinator container’s Trino CLI as the admin user:
minitrino exec -i 'trino-cli --user admin'
Display the groups for the current user via current_groups():
SELECT current_groups();
-- [clusteradmins]
The group provider maps groups to users regardless of authentication.
Without auth:
minitrino exec -i 'trino-cli --user test'
SELECT current_groups();
-- [clusteradmins, metadata-users, platform-users]
With auth:
minitrino exec -i \
'trino-cli --server https://minitrino:8443 \
--insecure --user admin --password'
SELECT current_groups();
-- [clusteradmins]
SCIM Sync Client#
This module includes a custom Python sync client (scim_sync.py) that
automatically provisions and synchronizes users and groups to the Starburst SCIM
API.
The client runs continuously in the background, ensuring the group/user mapping is always up to date. By default, the mapping is:
Group |
Users |
|---|---|
clusteradmins |
admin, cachesvc, test |
metadata-users |
metadata-user, bob, test |
platform-users |
platform-user, alice, test |
The sync client is configured via the following environment variables:
CLUSTER_NAME: The cluster name (used to construct the SCIM API URL)SCIM_TOKEN: Bearer token for SCIM API authentication (default:changeme)SYNC_INTERVAL: How often to sync (seconds, default: 60)
To customize the mapping, edit the GROUP_MAPPING dictionary in
resources/scim/scim_sync.py.
Dependent Modules#
biac: Access control is a requirement for the SCIM plugin.