-close resolved FIXMEs

1 files changed, 19 insertions, 44 deletions

diff --git a/taler-exchange-setup-guide.rst b/taler-exchange-setup-guide.rst
index cf08d0a4..82b5a5b3 100644
--- a/taler-exchange-setup-guide.rst
+++ b/taler-exchange-setup-guide.rst
@@ -136,9 +136,6 @@ directive and should end with ``.secret.conf``.
 To view the entire configuration annotated with the source of each configuration option, you
 can use the ``taler-config`` helper:
 
-..
-  FIXME: mostly all the configuration files are owned root:root.  Is that wanted?
-  Wasn't taler-exchange-httpd supposed to own those? CG: Well, for MOST of the configuration files, root-ownage is OK, but I agree that merchant-db.secret.conf and exchange-accountcredentials.secret.conf have the wrong roup owner and permissions, and exchange-db.secret.conf should probably be 640 instead of 660.
 
 .. code-block:: shell-session
 
@@ -176,12 +173,9 @@ to compartmentalize different parts of the system:
 The exchange setup uses the following system groups:
 
 * taler-exchange-db: group for all Taler users with direct database access, specifically taler-exchange-httpd, taler-exchange-wire, taler-exchange-closer and taler-exchange-aggregator
-* taler-exchange-secmod: group for processes with access to online signing keys, so taler-exchange-secmod-rsa, taler-exchange-secmod-eddsa and taler-exchange-httpd
+* taler-exchange-secmod: group for processes with access to online signing keys; this group must have three users: taler-exchange-secmod-rsa, taler-exchange-secmod-eddsa and taler-exchange-httpd
 * taler-exchange-offline: group for the access to the offline private key (only used on the offline host and not used on the online system)
 
-..
-  FIXME: "taler-exchange-secmod: group for processes with access to online signing keys, so taler-exchange-secmod-rsa, taler-exchange-secmod-eddsa and taler-exchange-httpd .... what?"  Seems that this sentence lacks conclusion.
-
 
 
 The package will deploy systemd service files in
@@ -252,13 +246,6 @@ reasonable denomination structure.
 
   taler-wallet-cli deployment gen-coin-config --min-amount EUR:0.01 --max-amount EUR:100 > /etc/taler/conf.d/exchange-coins.conf
 
-.. note::
-
-   FIXME: change tool to not take currency from configuration, but instead
-   to accept unit currency as the argument; (i.e. EUR:0.0025). Also take
-   another argument for how many denominations to generate (2^XX). Finally,
-   do use the unit currency as the default deposit fee.
-
 You can manually review and edit the generated configuration file. The main
 change that is possibly required is updating the various fees.
 
@@ -306,14 +293,8 @@ The HTTP port and database connection string can be edited in the configuration:
   LIBEUFIN_NEXUS_DB_CONNECTION=jdbc:sqlite:/var/lib/libeufin/nexus/nexus-db.sqlite3
 
 After configuring the database, you can start the service.
-The database is initialized automatically, there is no ``dbinit`` command
-for the LibEuFin nexus.
+The database is initialized automatically.
 
-..
-  FIXME: 'dbinit' isn't a (exact) name for exchane and merchant, but this way
-  the reader might wrongly think it is.  Also, steps that should NOT be taken
-  could - by not being mentioned - spare time (to the reader) and space to the
-  document.  So the part after comma for me can be removed.
 
 .. code-block:: shell-session
 
@@ -779,34 +760,28 @@ Finally we need to grant the other accounts limited access:
 
 .. code-block:: shell-session
 
-  [root@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-aggregator";' \
-    | sudo -u taler-exchange-httpd psql taler-exchange
-  [root@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-closer";' \
-    | sudo -u taler-exchange-httpd psql taler-exchange
-  [root@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-wire";' \
-    | sudo -u taler-exchange-httpd psql taler-exchange
-  [root@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO "taler-exchange-aggregator";' \
-    | sudo -u taler-exchange-httpd psql taler-exchange
-  [root@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO "taler-exchange-closer";' \
-    | sudo -u taler-exchange-httpd psql taler-exchange
-  [root@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO "taler-exchange-wire";' \
-    | sudo -u taler-exchange-httpd psql taler-exchange
-
-..
-  FIXME: the above commands do work, except that they produce a eye-unfriendly "cannot change to /root directory"
-  message after the execution.  This might be avoided by first getting a shell as the taler-exchange-httpd user
-  and then run the SQL statements.
+  [root@exchange-online]# sudo -u taler-exchange-httpd bash
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-aggregator";' \
+    | psql taler-exchange
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-closer";' \
+    | psql taler-exchange
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-wire";' \
+    | psql taler-exchange
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO "taler-exchange-aggregator";' \
+    | psql taler-exchange
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO "taler-exchange-closer";' \
+    | psql taler-exchange
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO "taler-exchange-wire";' \
+    | psql taler-exchange
+  [taler-exchange-httpd@exchange-online]# exit
 
 .. note::
 
    The above instructions for changing database permissions only work *after*
    having initialized the database with ``taler-exchange-dbinit``, as
-   the tables to exist before permissions can be granted on them.
-
-..
-
-  FIXME: Why don't we grant the permissions to the schema / database then?
-
+   the tables to exist before permissions can be granted on them. The
+   ``taler-exchange-dbinit`` tool cannot setup these permissions, as it
+   does not know which users will be used for which processes.
 
 
 Offline Signing Setup