https://cerbos.dev logo
Powered by
Title
a

ANILA SOMAN

12/08/2022, 12:18 PM
Hello All, could you please help me to resolve this error?
o

oguzhan

12/08/2022, 12:27 PM
Hi @ANILA SOMAN, It seems like you didn’t create the tables and other database objects required for running Cerbos on your PostgreSQL instance. You can find the schema here; https://docs.cerbos.dev/cerbos/latest/configuration/storage.html#_database_object_definitions
Let me know if this is not the case, happy to help!
a

ANILA SOMAN

12/08/2022, 12:47 PM
Hi @oguzhan, i am using that sql query which you mentioned above as a .sh file and mention that in docker compose to run this sql as well
or do we need to migrate that sql code using orm ?
version: "3.9"
services:
  cerbos:
    container_name: cerbos
    image: <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest>
    restart: always
    command: ["server", "--config=/config/conf.yaml", "--log-level=warn"]
    volumes:
      - ./cerbos/config:/config
      - ./cerbos/policies:/policies
    depends_on:
      - postgresd
    ports:
      - 3592:3592
      - 3593:3593
    networks:
      - intranet
  postgresd:
    image: postgres:latest
    ports:
      - "5432:5432"
    volumes:
      - ./pg-init-scripts:/docker-entrypoint-initdb.d
    environment:
      - POSTGRES_USER=core
      - POSTGRES_PASSWORD=core
    networks:
      - intranet
  # pgadmin:
  #   image: dpage/pgadmin4
  #   container_name: pgadmin
  #   restart: "no"
  #   volumes:
  #     - pgadmin:/var/lib/pgadmin
  #   environment:
  #     - PGADMIN_DEFAULT_EMAIL=core@example.com
  #     - PGADMIN_DEFAULT_PASSWORD=core
  #   ports:
  #     - "5433:80"
  #   networks:
  #     - intranet
  admin-api:
    container_name: admin-api
    build: .
    environment:
      - CERBOS_HOST=cerbos
    ports:
      - 8080:8080
    depends_on:
      - cerbos
    networks:
      - intranet


networks:
  intranet:
volumes:
  pgadmin:
    name: vol-pgadmin
docker compose file
c

Charith (Cerbos)

12/08/2022, 12:57 PM
Did you change the schema name in the init script? Are the tables in the 
cerbos
schema? Also, from your screenshot, it looks like there was some error that postgres tried to recover from. Maybe the database is corrupt? I'd try clearing the storage volume and restarting the containers.
a

ANILA SOMAN

12/09/2022, 4:32 AM
Hi @Charith (Cerbos) the postgres pod itself exits. is there any way to migrate schema?
c

Charith (Cerbos)

12/09/2022, 4:36 AM
Hi Anila, by "migrate schema" I assume you mean that you want to rename it to something other than 
cerbos
? You can do that. Just remember to change the 
search_path
parameter in the connection URL you provide to Cerbos in its configuration file.
So, if your new schema name is 
foo
, the config should look like the following 
storage:
  driver: "postgres"
  postgres:
    url: "postgres://${PG_USER}:${PG_PASSWORD}@localhost:5432/postgres?sslmode=disable&search_path=foo"
a

ANILA SOMAN

12/09/2022, 4:52 AM
adding policy code 
func AddPolicy(datas *model.CerbosPayload, cli client.AdminClient, g *gin.Context) {
    response := model.Response{}
    responses := []model.Response{}
    for _, data := range datas.Policies {
        for _, policy := range data.ResourcePolicy.Rules {
            ps := client.PolicySet{}
            actions := policy.Actions
            rr1 := client.NewAllowResourceRule(actions...).WithRoles(policy.Roles)
            resource := data.ResourcePolicy.Resource
            resourcePolicy := client.NewResourcePolicy(resource, "default").AddResourceRules(rr1)
            // resourcePolicy.WithScope(data.ResourcePolicy.Scope)
            policySet := ps.AddResourcePolicies(resourcePolicy)
            err := cli.AddOrUpdatePolicy(context.Background(), policySet)
            if err != nil {
                response = model.Response{
                    Response: "",
                    Errors:   err.Error(),
                }
                responses = append(responses, response)

            }

            response = model.Response{
                Response: fmt.Sprintf("response : %+v", policySet.GetPolicies()),
                Errors:   "",
            }
            responses = append(responses, response)
        }
    }
    g.JSON(200, gin.H{
        "Check Responses": responses,
    })
}
checking policy 
func CheckPolicy(datas *model.CerbosPayload, cli client.Client, g *gin.Context) {
    response := model.Response{}
    responses := []model.Response{}
    for _, data := range datas.Policies {
        for _, policy := range data.ResourcePolicy.Rules {
            principal := client.NewPrincipal(uuid.NewString(), policy.Roles)
            // principal.WithScope(data.ResourcePolicy.Scope)
            resource := data.ResourcePolicy.Resource
            actions := policy.Actions
            r1 := client.NewResource(resource, uuid.NewString())
            batch := client.NewResourceBatch()
            batch.Add(r1, actions...)
            resp, err := cli.CheckResources(context.Background(), principal, batch)
            if err != nil {
                log.Fatalf("Failed to check resources: %v", err)
                response = model.Response{
                    Response: "",
                    Errors:   err.Error(),
                }
                responses = append(responses, response)
            }
            response = model.Response{
                Response: fmt.Sprintf("response : %v", resp),
                Errors:   "",
            }
            responses = append(responses, response)
        }
    }
    g.JSON(200, gin.H{
        "Check Responses": responses,
    })
}
above code is working without database
@Charith (Cerbos) we didnt change the schema
c

Charith (Cerbos)

12/09/2022, 4:58 AM
About the schema, what I wanted to know was whether you changed (or omitted) the schema name while creating the database objects from the SQL we have on our docs site.
The first two lines here: https://docs.cerbos.dev/cerbos/latest/configuration/storage.html#_database_object_definitions
If you're using 
psql
, can you run 
\dt cerbos.*
and paste the output here?
a

ANILA SOMAN

12/09/2022, 5:09 AM
config file
docker file
script same script used from documentation - didnt make any changes
c

Charith (Cerbos)

12/09/2022, 5:17 AM
OK. Can you rename 
db.sh
to 
db.sql
and restart Docker Compose
a

ANILA SOMAN

12/09/2022, 5:17 AM
sure
c

Charith (Cerbos)

12/09/2022, 5:31 AM
Try 
docker-compose restart cerbos
. It looks like the database is taking longer to initialize.
a

ANILA SOMAN

12/09/2022, 5:34 AM
c

Charith (Cerbos)

12/09/2022, 5:35 AM
Right!, now 
compose
is a subcommand of 
docker
. My bad.
Did it work? Was the container restarted?
a

ANILA SOMAN

12/09/2022, 5:36 AM
nope
connection refused error
c

Charith (Cerbos)

12/09/2022, 5:45 AM
Hmm... I am baffled. Can you actually see the tables in the database? Can you list them?z
@ANILA SOMAN, I think I got it. Because you change your default postgres user to 
core
, the default database is named 
core
as well. Therefore, you need to change the connection URL to use the 
core
database like this: 
storage:
  driver: "postgres"
  postgres:
    url: "<postgres://core:core@postgresd:5432/core?sslmode=disable&search_path=cerbos>"
a

ANILA SOMAN

12/12/2022, 7:27 AM
@Charith (Cerbos) tried but same
c

Charith (Cerbos)

12/12/2022, 8:08 AM
Ah, that would be because postgres is not ready by the time Cerbos starts. You could do 
docker compose restart cerbos
. But, a better way is to add a healthcheck to postgres like this: 
version: "3.9"
services:
  postgresd:
    image: postgres:latest
    ports:
      - 5432:5432
    volumes:
      - ./db:/docker-entrypoint-initdb.d
    environment:
      - POSTGRES_USER=core
      - POSTGRES_PASSWORD=core
    healthcheck:
      test: ["CMD-SHELL", "pg_isready --username=core"]
      interval: 10s
      timeout: 5s
      retries: 5

  cerbos:
    image: <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest>
    command: ["server", "--config=/conf/cerbos.yaml"]
    volumes:
      - ./conf:/conf
    ports:
      - 3592:3592
      - 3593:3593
    depends_on:
      - postgresd
    restart: on-failure
a

ANILA SOMAN

12/12/2022, 8:11 AM
oh okay let me try this
Hi @Charith (Cerbos) thank you for your support connected to the database
c

Charith (Cerbos)

12/23/2022, 7:09 AM
You're welcome
#helpJoin Slack
Powered by