-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Garbage Collector removing relation still valid #1471
Comments
Hi @gign0766, I tried to reproduce the issue but couldn't replicate it. Everything seems to be working as expected on my end. I'll update the database tests shortly to include this scenario. Also, can you provide the specific permission check requests you used to ensure I don't miss any details? |
Hi, The permission check was : {
"metadata": {
"schema_version": "",
"snap_token": "",
"depth": 20
},
"entity": {
"type": "organisation",
"id": "1"
},
"permission": "is_member",
"subject": {
"type": "user",
"id": "b56661f8-7be6-4342-a4c0-918ee04e5983"
}
} The test was made though the Go SDK : cr, err := client.Permission.Check(ctx, &permifyPayload.PermissionCheckRequest{
TenantId: tenantId,
Metadata: &permifyPayload.PermissionCheckRequestMetadata{
SnapToken: "",
SchemaVersion: "",
Depth: 20,
},
Entity: tuple.Entity,
Permission: tuple.Relation,
Subject: tuple.Subject,
}) and with the following schema :
|
To add some information on the environment : |
Hello, I just notice there is a distributed configuration for the cache system. I'll try to configure it on the cluster and keep you inform of the result |
Hi, thank you @gign0766. I couldn't test with your setup. This week I will be updating helm charts, related migration scripts and issues about k8s. I will test both cases! |
Hi @tolgaOzen So far, since I've activated the distributed system, the problem hasn't shown up again. |
Hi @gign0766 , could you share your Permify config file while keeping sensitive information hidden? |
Hi @tolgaOzen Of course, here is the config : # The logger section sets the logging level for the service.
logger:
level: debug
# The database section specifies the database engine and connection settings,
# including the URI for the database, whether or not to auto-migrate the database,
# and connection pool settings.
database:
engine: postgres
uri: postgres_url
garbage_collection:
enabled: true
interval: 10m
window: 5m
timeout: 5m
distributed:
# Indicates whether the distributed mode is enabled or not
enabled: true
# The address of the distributed service.
# Using a Kubernetes DNS name suggests this service runs in a Kubernetes cluster
# under the 'default' namespace and is named 'permify'
address: service_address
# The port on which the service is exposed
port: "5000" |
Can you share any logs? The configuration looks correct. Also, can I get some information about the Postgres you're using? Are you deploying it within Helm? |
Could the issue be related to Bitnami Postgres? Are you creating a volume for persistency? |
I'm trying to understand the issue, but I don't think it's related to the garbage collector because the garbage collector removes old data but doesn't delete the schema. The |
@tolgaOzen This is also what I understood from reading the permify code. But the bug only seems to appear when garbage collection is enabled. I will update the chart of permify to the latest version. |
There was an error on the latest version of the chart helm, I have submitted a PR to fix the problem on the permify helm chart repo. |
I've updated to version 0.3.7 of the chart helm. Now the logs work properly. I'll update you if I notice the bug again ! |
Describe the bug
When a permission is present twice, one valid and the other expired, the Garbage Collector invalidate the relation in spite of relation their is still valid one
To Reproduce
Steps to reproduce the behavior:
Setup a Permify with a PostgreSQL database, configure the garbage collector as following :
Add a relation, then add the same relation (for the same tenant) a bit later
For example :
The permission check work until the garbage collector run, after that, the permission is considered as invalid
Expected behavior
The expired relation should be removed from the database, but the permission check should still be allowed since there is a valid relation.
Additional context
The permify instance run with the helm chart as well as the postgres instance
Environment :
The text was updated successfully, but these errors were encountered: