-
-
Notifications
You must be signed in to change notification settings - Fork 472
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: Can not create role (and shouldn't need to, either.) #6842
Comments
Hi @IngwiePhoenix , the error message says: "Only roles with the CREATEROLE attribute may create roles." Please check your db user permissions. |
Why is it creating a new role anyway? It has a username, password and a database...all it needs to do is to deploy the table schemas. This is what's confusing me. Sure I could probably give it the permission, but I use the EasyMile Postgres Operator to manage the accounts and databases. For instance: apiVersion: postgresql.easymile.com/v1alpha1
kind: PostgresqlDatabase
metadata:
name: logto-db
namespace: logto
spec:
engineConfiguration:
name: default-cluster-instance
namespace: postgres
database: logto
masterRole: "logto-role"
dropOnDelete: true
waitLinkedResourcesDeletion: true
---
apiVersion: postgresql.easymile.com/v1alpha1
kind: PostgresqlUserRole
metadata:
name: logto-db-user
namespace: logto
spec:
mode: MANAGED
rolePrefix: "logto"
userPasswordRotationDuration: 720h
privileges:
- privilege: OWNER
database:
name: logto-db
generatedSecretName: logto-db-creds But I wonder why LogTo needs to create a separate role, when it already has creds it can use? |
Gonna chime in here as well as I too was confused by the need to create a sort of s"superadmin" role to let LogTo seed itself. I also think that LogTo should handle everything it needs to do via the provided db user and not create any other roles. |
I think this blog post might explain your doubts about the DB roles: |
That was a great read, thanks! That said, in Kubernetes environments and the likes (think common hosting providers), you'll often not have more than one set of credentials. Hence why I still think that LogTo should support it - even if not by default, make it an option at the very least (i.e. |
Describe the bug
I wrote myself a Kubernetes deployment with the intention to run this together with oauth2-proxy to utilize Traefik ForwardAuth to protect services that do not have authentication by default (like some dashboards). When doing so, the following happens:
Expected behavior
Since I passed a
DB_URL
with username, password and everything, it should just create the schemas. The provided credentials are from an operator that generates database, username and password automatically - so, this shouldn't be required.How to reproduce?
k3s deployment
Context
ghcr.io/logto-io/logto:1.22
Screenshots
N/A
The text was updated successfully, but these errors were encountered: