Hi @channel. I need to use storage drive postgres....
# helpm
Muhammad Awais Ullah
02/13/2022, 5:58 PMHi @channel. I need to use storage drive postgres. I don’t see any code sample in docs. My understanding is choosing this storage option replace the policy definition process instead of yaml file the policy would be stored in database. Can someone share more details any working sample for database approach.
d
Dennis (Cerbos)
02/13/2022, 8:22 PM
With all storage options, including Postgres, policies are written in YAML. In case of database storage, use Cerbos Admin API to submit policies to Cerbos.
Configuring policies in Postgres includes three steps. Each step is described in the documentation, but I am not sure there’s a complete example for this use-case.
The three steps are:
1. Configure Postgres as a storage, Link
a. create the DB schema.
2. Enable Admin API. Link
3. Use Admin API to manage policies. Link
m
Muhammad Awais Ullah
02/14/2022, 8:23 AM@Dennis (Cerbos) so the policies submitted from admin API in this case would be added/updated in database that’s all. The YAML file won’t be effected in this case.
d
Dennis (Cerbos)
02/14/2022, 8:33 AM
so the policies submitted from admin API in this case would be added/updated in database that’s all.Yes
The YAML file won’t be effected in this case.Can you please elaborate on this?
m
Muhammad Awais Ullah
02/14/2022, 8:46 AMSo if my storage option is postgres and I perform some policy update from Admin API will that update the YAML file that is the source for all the policies defined at first place?
d
Dennis (Cerbos)
02/14/2022, 9:02 AM
No, those YAML files would remain intact.
Dennis (Cerbos)
02/14/2022, 9:06 AM
Here’s an example of a request to add/update policy via Admin API
m
Muhammad Awais Ullah
02/14/2022, 10:25 AMSo while looking up the policies cerbos internally will go for Yaml & then database for changes if any & driver is database. @Dennis (Cerbos) just clarifying if i got it correct.
c
Charith (Cerbos)
02/14/2022, 11:01 AM
No. If you use a database storage driver, the YAML files you have on disk are not visible to Cerbos at all. It'll only see what's stored in the database. You can update the policies in the database by using the Admin API as described above.
m
Muhammad Awais Ullah
02/14/2022, 11:33 AM@Charith (Cerbos) is that so ? Dennis mentioned earlier that YAML is the only source for writing policies. Now I am confused
c
Charith (Cerbos)
02/14/2022, 11:39 AM
I think he meant that the way you write policies does not change much except for the fact that now you have to submit your policies to Cerbos through the Admin API instead of just adding them to Git or copying to a directory on disk that Cerbos is watching.
m
Muhammad Awais Ullah
02/14/2022, 11:45 AMOkay. Got it. But writing polices from API is a bit handy when you want to write it in bulk. So i needed confirmation on that does it go for YAML as a base & then look for new changes in database.
c
Charith (Cerbos)
02/14/2022, 11:49 AM
It only uses the database. The storage backend you configure for Cerbos through the
storage.driverm
Muhammad Awais Ullah
02/14/2022, 11:55 AMOkay got it, Apart from that my container stop’s with error using database approach. I already setup database schema but getting unable to connect error.
c
Charith (Cerbos)
02/14/2022, 11:56 AM
What is the error message?
m
Muhammad Awais Ullah
02/14/2022, 12:03 PMmessage has been deleted
c
Charith (Cerbos)
02/14/2022, 12:05 PM
Looks like an IPv6 issue in your container runtime. Try setting database host to
127.0.0.1Charith (Cerbos)
02/14/2022, 12:06 PM
Actually, if you're running the container
localhost127.0.0.1Charith (Cerbos)
02/14/2022, 12:06 PM
You have to find the IP address of your bridge network (assuming you're running this locally)
m
Muhammad Awais Ullah
02/14/2022, 12:07 PMOkay let me try that.
7 Views