permitio · danyi1212 · Nov 10, 2025 · Nov 3, 2025 · Nov 4, 2025 · Nov 5, 2025
diff --git a/source/commands/env/apply/trino.tsx b/source/commands/env/apply/trino.tsx
@@ -56,6 +56,16 @@ export const options = zod.object({
 				alias: 's',
 			}),
 		),
+	createColumnResources: zod
+		.boolean()
+		.optional()
+		.default(false)
+		.describe(
+			option({
+				description: 'Create individual column resources (default: false)',
+				alias: 'cols',
+			}),
+		),
 });
 
 export default function Trino({ options }: { options: TrinoOptions }) {

diff --git a/source/commands/pdp/run.tsx b/source/commands/pdp/run.tsx
@@ -28,16 +28,24 @@ export const options = object({
 				alias: 'k',
 			}),
 		),
+	tag: string()
+		.default('latest')
+		.describe(
+			option({
+				description: 'The tag of the PDP image to use',
+				alias: 't',
+			}),
+		),
 });
 
 type Props = {
 	options: zInfer<typeof options>;
 };
 
-export default function Run({ options: { opa, dryRun, apiKey } }: Props) {
+export default function Run({ options: { opa, dryRun, apiKey, tag } }: Props) {
 	return (
 		<AuthProvider permit_key={apiKey} scope={'environment'}>
-			<PDPRunComponent opa={opa} dryRun={dryRun} />
+			<PDPRunComponent opa={opa} dryRun={dryRun} tag={tag} />
 		</AuthProvider>
 	);
 }
diff --git a/source/components/env/trino/TrinoComponent.tsx b/source/components/env/trino/TrinoComponent.tsx
@@ -21,7 +21,9 @@ export default function TrinoComponent(
 				catalog: props.catalog,
 				schema: props.schema,
 			});
-			const permitResources = mapTrinoSchemaToPermitResources(trinoSchema);
+			const permitResources = mapTrinoSchemaToPermitResources(trinoSchema, {
+				createColumnResources: props.createColumnResources,
+			});
 			setCreatedResources(permitResources);
 			await processTrinoSchema(props);
 		})();

diff --git a/source/components/env/trino/types.ts b/source/components/env/trino/types.ts
@@ -5,6 +5,7 @@ export type TrinoOptions = {
 	password?: string;
 	catalog?: string;
 	schema?: string;
+	createColumnResources?: boolean;
 };
 
 export interface PermitResource {

diff --git a/source/components/pdp/PDPRunComponent.tsx b/source/components/pdp/PDPRunComponent.tsx
@@ -16,6 +16,7 @@
 	onComplete?: () => void;
 	onError?: (error: string) => void;
 	skipWaitScreen?: boolean; // New prop to control wait behavior
+	tag?: string;
 };
 
 export default function PDPRunComponent({
@@ -24,6 +25,7 @@
 	onComplete,
 	onError,
 	skipWaitScreen = true, // Default to showing wait screen
+	tag = 'latest',
 }: Props) {
 	const { authToken } = useAuth();
 	const [loading, setLoading] = useState(true);
@@ -82,7 +84,7 @@
 				// Generate the Docker command
 				const cmd = `docker run -d -p 7766:7000 ${
 					opa ? `-p ${opa}:8181` : ''
-				} -e PDP_API_KEY=${token} -e PDP_CONTROL_PLANE=${config.controlPlane || 'https://api.permit.io'} permitio/pdp-v2:latest`;
+				} -e PDP_API_KEY=${token} -e PDP_CONTROL_PLANE=${config.controlPlane || 'https://api.permit.io'} permitio/pdp-v2:${tag}`;
 
 				setDockerCommand(cmd);
 
@@ -161,7 +163,7 @@
 		};

 		generateDockerCommand();
 	}, [
 		opa,
 		dryRun,
 		authToken,

diff --git a/source/utils/trinoUtils.ts b/source/utils/trinoUtils.ts
@@ -105,20 +105,24 @@
 
 /**
  * Map Trino schema data to Permit resources.
- * - Each catalog, schema, table, and column is a resource.
+ * - Each catalog, schema, table, and optionally column is a resource.
  * - Each table resource includes columns as attributes (with type/description).
+ * @param trino - The Trino schema data to map
+ * @param options - Configuration options
+ * @param options.createColumnResources - Whether to create individual column resources (default: false)
  */
 export function mapTrinoSchemaToPermitResources(
 	trino: TrinoSchemaData,
+	options: { createColumnResources?: boolean } = {},
 ): PermitResource[] {
 	const resources: PermitResource[] = [];
-	const SEP = '-';
+	const SEP = '_';
 
 	// Catalogs
 	for (const catalog of trino.catalogs) {
 		resources.push({
 			key: `trino${SEP}catalog${SEP}${catalog.name}`,
-			name: catalog.name,
+			name: `Catalog: ${catalog.name}`,
 			description: `Trino resource type: catalog. Trino catalog: ${catalog.name}`,
 			actions: [
 				'AccessCatalog',
@@ -133,7 +137,7 @@
 	for (const schema of trino.schemas) {
 		resources.push({
 			key: `trino${SEP}schema${SEP}${schema.catalog}${SEP}${schema.name}`,
-			name: `${schema.catalog}.${schema.name}`,
+			name: `Schema: ${schema.catalog}.${schema.name}`,
 			description: `Trino resource type: schema. Schema ${schema.name} in catalog ${schema.catalog}`,
 			actions: [
 				'CreateSchema',
@@ -175,7 +179,7 @@
 		const tableKey = `trino${SEP}table${SEP}${table.catalog}${SEP}${table.schema}${SEP}${table.name}`;
 		resources.push({
 			key: tableKey,
-			name: `${table.catalog}.${table.schema}.${table.name}`,
+			name: `Table: ${table.catalog}.${table.schema}.${table.name}`,
 			description: `Trino resource type: ${table.type.toLowerCase()}. ${table.type} ${table.name} in ${table.catalog}.${table.schema}`,
 			actions: TABLE_AND_COLUMN_ACTIONS,
 			attributes: table.columns.reduce(
@@ -202,37 +206,43 @@
 				},
 			),
 		});
-		// Columns as resources
-		for (const column of table.columns) {
-			resources.push({
-				key: `trino${SEP}column${SEP}${table.catalog}${SEP}${table.schema}${SEP}${table.name}${SEP}${column.name}`,
-				name: `${table.catalog}.${table.schema}.${table.name}.${column.name}`,
-				description: `Trino resource type: column. Column ${column.name} in ${table.catalog}.${table.schema}.${table.name}`,
-				actions: TABLE_AND_COLUMN_ACTIONS,
-				attributes: {
-					parent_table: {
-						type: 'string',
-						description: `${table.catalog}.${table.schema}.${table.name}`,
-					},
-					table_type: { type: 'string', description: table.type.toLowerCase() },
-					type: {
-						type: trinoTypeToPermitType(column.type),
-						description: column.type,
-					},
-					nullable: {
-						type: 'bool',
-						description: column.nullable ? 'nullable' : undefined,
+
+		// Create column resources if requested
+		if (options.createColumnResources) {
+			for (const column of table.columns) {
+				resources.push({
+					key: `trino${SEP}column${SEP}${table.catalog}${SEP}${table.schema}${SEP}${table.name}${SEP}${column.name}`,
+					name: `Column: ${table.catalog}.${table.schema}.${table.name}.${column.name}`,
+					description: `Trino resource type: column. Column ${column.name} in ${table.catalog}.${table.schema}.${table.name}`,
+					actions: TABLE_AND_COLUMN_ACTIONS,
+					attributes: {
+						parent_table: {
+							type: 'string',
+							description: `${table.catalog}.${table.schema}.${table.name}`,
+						},
+						table_type: {
+							type: 'string',
+							description: table.type.toLowerCase(),
+						},
+						type: {
+							type: trinoTypeToPermitType(column.type),
+							description: column.type,
+						},
+						nullable: {
+							type: 'bool',
+							description: column.nullable ? 'nullable' : undefined,
+						},
 					},
-				},
-			});
+				});
+			}
 		}
 	}
 
 	// Views
 	for (const view of trino.views) {
 		resources.push({
 			key: `trino${SEP}view${SEP}${view.catalog}${SEP}${view.schema}${SEP}${view.name}`,
-			name: `${view.catalog}.${view.schema}.${view.name}`,
+			name: `View: ${view.catalog}.${view.schema}.${view.name}`,
 			description: `Trino resource type: view. View ${view.name} in ${view.catalog}.${view.schema}`,
 			actions: [
 				'CreateView',
@@ -272,7 +282,7 @@
 	for (const mview of trino.materializedViews) {
 		resources.push({
 			key: `trino${SEP}materialized_view${SEP}${mview.catalog}${SEP}${mview.schema}${SEP}${mview.name}`,
-			name: `${mview.catalog}.${mview.schema}.${mview.name}`,
+			name: `Materialized View: ${mview.catalog}.${mview.schema}.${mview.name}`,
 			description: `Trino resource type: materialized view. Materialized view ${mview.name} in ${mview.catalog}.${mview.schema}`,
 			actions: [
 				'CreateMaterializedView',
@@ -311,7 +321,7 @@
 	for (const fn of trino.functions) {
 		resources.push({
 			key: `trino${SEP}function${SEP}${fn.catalog}${SEP}${fn.schema}${SEP}${fn.name}`,
-			name: `${fn.catalog}.${fn.schema}.${fn.name}`,
+			name: `Function: ${fn.catalog}.${fn.schema}.${fn.name}`,
 			description: `Trino resource type: function. Function ${fn.name} in ${fn.catalog}.${fn.schema}`,
 			actions: [
 				'ShowFunctions',
@@ -333,7 +343,7 @@
 	for (const proc of trino.procedures) {
 		resources.push({
 			key: `trino${SEP}procedure${SEP}${proc.catalog}${SEP}${proc.schema}${SEP}${proc.name}`,
-			name: `${proc.catalog}.${proc.schema}.${proc.name}`,
+			name: `Procedure: ${proc.catalog}.${proc.schema}.${proc.name}`,
 			description: `Trino resource type: procedure. Procedure ${proc.name} in ${proc.catalog}.${proc.schema}`,
 			actions: ['ExecuteProcedure', 'ExecuteTableProcedure'],
 			attributes: {
@@ -426,20 +436,20 @@
 
 	if (catalog.toLowerCase() === 'postgresql') {
 		const passthrough = `SELECT * FROM TABLE(postgresql.system.query(query => '
-		SELECT p.proname as function_name, n.nspname as schema_name, 
-		pg_catalog.pg_get_function_result(p.oid) as return_type, 
-		pg_catalog.pg_get_function_arguments(p.oid) as arguments, 
-		CASE p.prokind 
-			WHEN ''f'' THEN ''FUNCTION'' 
-			WHEN ''p'' THEN ''PROCEDURE'' 
-			WHEN ''a'' THEN ''AGGREGATE'' 
-			WHEN ''w'' THEN ''WINDOW'' 
-			ELSE p.prokind::text 
-		END as kind 
-		FROM pg_catalog.pg_proc p 
-		LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace 
-		WHERE n.nspname = ''${schema}'' 
-		AND p.proname NOT LIKE ''pg_%'' 
+		SELECT p.proname as function_name, n.nspname as schema_name,
+		pg_catalog.pg_get_function_result(p.oid) as return_type,
+		pg_catalog.pg_get_function_arguments(p.oid) as arguments,
+		CASE p.prokind
+			WHEN ''f'' THEN ''FUNCTION''
+			WHEN ''p'' THEN ''PROCEDURE''
+			WHEN ''a'' THEN ''AGGREGATE''
+			WHEN ''w'' THEN ''WINDOW''
+			ELSE p.prokind::text
+		END as kind
+		FROM pg_catalog.pg_proc p
+		LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace
+		WHERE n.nspname = ''${schema}''
+		AND p.proname NOT LIKE ''pg_%''
 		ORDER BY p.proname
 		'))`;
 		try {
@@ -467,19 +477,19 @@
 					});
 				}
 			}
 		} catch (e) {
 			// console.log('[DEBUG] Passthrough for PostgreSQL failed:', e);
 		}
 	} else if (catalog.toLowerCase() === 'mysql') {
 		const passthrough = `SELECT * FROM TABLE(mysql.system.query(query => '
-		SELECT routine_name, routine_type, data_type, routine_definition 
-		FROM information_schema.routines 
+		SELECT routine_name, routine_type, data_type, routine_definition
+		FROM information_schema.routines
 		WHERE routine_schema = ''${schema}''
 		'))`;
 		try {
 			const rows = await executeTrinoQuery(client, passthrough);
 			for (const row of rows) {
 				const [name, routineType, returnType, _def] = row;
 				if (
 					routineType &&
 					routineType.trim().toUpperCase().startsWith('FUNCTION')
@@ -503,7 +513,7 @@
 					});
 				}
 			}
 		} catch (e) {
 			// console.log('[DEBUG] Passthrough for MySQL failed:', e);
 		}
 	}
@@ -556,8 +566,8 @@
 	const tableComments = new Map<string, string>();
 	try {
 		const commentsQuery = `
-			SELECT catalog_name, schema_name, table_name, comment 
-			FROM system.metadata.table_comments 
+			SELECT catalog_name, schema_name, table_name, comment
+			FROM system.metadata.table_comments
 			WHERE comment IS NOT NULL
 		`;
 		const commentRows = await executeTrinoQuery(client, commentsQuery);
@@ -568,7 +578,7 @@
 				tableComments.set(key, comment);
 			}
 		}
 	} catch (_) {
 		// console.log('[DEBUG] Could not fetch table comments');
 	}

@@ -599,7 +609,7 @@
 						nullable: row[3] !== 'NO', // Column 3 is Null (YES/NO)
 					}))
 					.filter(col => col.name && col.type);
 			} catch (_) {
 				// console.log(`[DEBUG] Failed to get columns for ${tableName}`);
 			}

@@ -656,7 +666,7 @@
 							actualType = VIEW_TYPE;
 						}
 					}
 				} catch (_) {
 					// Ignore errors from SHOW CREATE TABLE
 				}
 			}
@@ -683,7 +693,7 @@
 							}
 						}
 					}
 				} catch (_) {
 					// Ignore errors
 				}
 			}

diff --git a/tests/trino/docker-compose.yml b/tests/trino/docker-compose.yml
@@ -14,7 +14,7 @@ services:
       - ./sample_data/postgres_init.sql:/docker-entrypoint-initdb.d/init.sql
     healthcheck:
       test: ['CMD-SHELL', 'pg_isready -U testuser -d testdb']
-      interval: 10s
+      interval: 5s
       timeout: 5s
       retries: 5
 
@@ -42,7 +42,7 @@ services:
           'testuser',
           '-ptestpass',
         ]
-      interval: 10s
+      interval: 5s
       timeout: 5s
       retries: 5
 

diff --git a/tests/trino/trino_config/access-control.properties b/tests/trino/trino_config/access-control.properties
@@ -0,0 +1,5 @@
+# access-control.name=allow-all
+access-control.name=opa
+opa.policy.uri=http://host.docker.internal:7766/trino/allowed
+opa.log-requests=true
+opa.log-responses=true