https://cerbos.dev logo
Join Slack
Powered by
Hello All, could you please help me to resolve thi...
# help
a
Hello All, could you please help me to resolve this error?
o
Hi @ANILA SOMAN, It seems like you didn’t create the tables and other database objects required for running Cerbos on your PostgreSQL instance. You can find the schema here; https://docs.cerbos.dev/cerbos/latest/configuration/storage.html#_database_object_definitions
Let me know if this is not the case, happy to help!
a
Hi @oguzhan, i am using that sql query which you mentioned above as a .sh file and mention that in docker compose to run this sql as well
or do we need to migrate that sql code using orm ?
Copy code
version: "3.9"
services:
  cerbos:
    container_name: cerbos
    image: <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest>
    restart: always
    command: ["server", "--config=/config/conf.yaml", "--log-level=warn"]
    volumes:
      - ./cerbos/config:/config
      - ./cerbos/policies:/policies
    depends_on:
      - postgresd
    ports:
      - 3592:3592
      - 3593:3593
    networks:
      - intranet
  postgresd:
    image: postgres:latest
    ports:
      - "5432:5432"
    volumes:
      - ./pg-init-scripts:/docker-entrypoint-initdb.d
    environment:
      - POSTGRES_USER=core
      - POSTGRES_PASSWORD=core
    networks:
      - intranet
  # pgadmin:
  #   image: dpage/pgadmin4
  #   container_name: pgadmin
  #   restart: "no"
  #   volumes:
  #     - pgadmin:/var/lib/pgadmin
  #   environment:
  #     - PGADMIN_DEFAULT_EMAIL=core@example.com
  #     - PGADMIN_DEFAULT_PASSWORD=core
  #   ports:
  #     - "5433:80"
  #   networks:
  #     - intranet
  admin-api:
    container_name: admin-api
    build: .
    environment:
      - CERBOS_HOST=cerbos
    ports:
      - 8080:8080
    depends_on:
      - cerbos
    networks:
      - intranet


networks:
  intranet:
volumes:
  pgadmin:
    name: vol-pgadmin
docker compose file
c
Did you change the schema name in the init script? Are the tables in the 
cerbos
schema? Also, from your screenshot, it looks like there was some error that postgres tried to recover from. Maybe the database is corrupt? I'd try clearing the storage volume and restarting the containers.
a
Hi @Charith (Cerbos) the postgres pod itself exits. is there any way to migrate schema?
c
Hi Anila, by "migrate schema" I assume you mean that you want to rename it to something other than 
cerbos
? You can do that. Just remember to change the 
search_path
parameter in the connection URL you provide to Cerbos in its configuration file.
So, if your new schema name is 
foo
, the config should look like the following
Copy code
storage:
  driver: "postgres"
  postgres:
    url: "postgres://${PG_USER}:${PG_PASSWORD}@localhost:5432/postgres?sslmode=disable&search_path=foo"
a
adding policy code
Copy code
func AddPolicy(datas *model.CerbosPayload, cli client.AdminClient, g *gin.Context) {
    response := model.Response{}
    responses := []model.Response{}
    for _, data := range datas.Policies {
        for _, policy := range data.ResourcePolicy.Rules {
            ps := client.PolicySet{}
            actions := policy.Actions
            rr1 := client.NewAllowResourceRule(actions...).WithRoles(policy.Roles)
            resource := data.ResourcePolicy.Resource
            resourcePolicy := client.NewResourcePolicy(resource, "default").AddResourceRules(rr1)
            // resourcePolicy.WithScope(data.ResourcePolicy.Scope)
            policySet := ps.AddResourcePolicies(resourcePolicy)
            err := cli.AddOrUpdatePolicy(context.Background(), policySet)
            if err != nil {
                response = model.Response{
                    Response: "",
                    Errors:   err.Error(),
                }
                responses = append(responses, response)

            }

            response = model.Response{
                Response: fmt.Sprintf("response : %+v", policySet.GetPolicies()),
                Errors:   "",
            }
            responses = append(responses, response)
        }
    }
    g.JSON(200, gin.H{
        "Check Responses": responses,
    })
}
checking policy
Copy code
func CheckPolicy(datas *model.CerbosPayload, cli client.Client, g *gin.Context) {
    response := model.Response{}
    responses := []model.Response{}
    for _, data := range datas.Policies {
        for _, policy := range data.ResourcePolicy.Rules {
            principal := client.NewPrincipal(uuid.NewString(), policy.Roles)
            // principal.WithScope(data.ResourcePolicy.Scope)
            resource := data.ResourcePolicy.Resource
            actions := policy.Actions
            r1 := client.NewResource(resource, uuid.NewString())
            batch := client.NewResourceBatch()
            batch.Add(r1, actions...)
            resp, err := cli.CheckResources(context.Background(), principal, batch)
            if err != nil {
                log.Fatalf("Failed to check resources: %v", err)
                response = model.Response{
                    Response: "",
                    Errors:   err.Error(),
                }
                responses = append(responses, response)
            }
            response = model.Response{
                Response: fmt.Sprintf("response : %v", resp),
                Errors:   "",
            }
            responses = append(responses, response)
        }
    }
    g.JSON(200, gin.H{
        "Check Responses": responses,
    })
}
above code is working without database
@Charith (Cerbos) we didnt change the schema
message has been deleted
c
About the schema, what I wanted to know was whether you changed (or omitted) the schema name while creating the database objects from the SQL we have on our docs site.
If you're using 
psql
, can you run 
\dt cerbos.*
and paste the output here?
a
config file
docker file
script same script used from documentation - didnt make any changes
c
OK. Can you rename 
db.sh
to 
db.sql
and restart Docker Compose
a
sure
message has been deleted
c
Try 
docker-compose restart cerbos
. It looks like the database is taking longer to initialize.
a
message has been deleted
c
Right!, now 
compose
is a subcommand of 
docker
. My bad.
Did it work? Was the container restarted?
a
nope
connection refused error
c
Hmm... I am baffled. Can you actually see the tables in the database? Can you list them?z
@ANILA SOMAN, I think I got it. Because you change your default postgres user to 
core
, the default database is named 
core
as well. Therefore, you need to change the connection URL to use the 
core
database like this:
Copy code
storage:
  driver: "postgres"
  postgres:
    url: "<postgres://core:core@postgresd:5432/core?sslmode=disable&search_path=cerbos>"
a
@Charith (Cerbos) tried but same
message has been deleted
c
Ah, that would be because postgres is not ready by the time Cerbos starts. You could do 
docker compose restart cerbos
. But, a better way is to add a healthcheck to postgres like this:
Copy code
version: "3.9"
services:
  postgresd:
    image: postgres:latest
    ports:
      - 5432:5432
    volumes:
      - ./db:/docker-entrypoint-initdb.d
    environment:
      - POSTGRES_USER=core
      - POSTGRES_PASSWORD=core
    healthcheck:
      test: ["CMD-SHELL", "pg_isready --username=core"]
      interval: 10s
      timeout: 5s
      retries: 5

  cerbos:
    image: <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest>
    command: ["server", "--config=/conf/cerbos.yaml"]
    volumes:
      - ./conf:/conf
    ports:
      - 3592:3592
      - 3593:3593
    depends_on:
      - postgresd
    restart: on-failure
a
oh okay let me try this
Hi @Charith (Cerbos) thank you for your support connected to the database
c
You're welcome
2 Views
Open in Slack
PreviousNext
Powered by