diff options
author | Christian Grothoff <christian@grothoff.org> | 2021-08-06 23:03:23 +0200 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2021-08-06 23:03:23 +0200 |
commit | 7a5fc4dcd45b131a8dc255f6f7f74a536fac7339 (patch) | |
tree | 64949d6e5625f2005491ba137cedd1fd06001df6 /taler-exchange-setup-guide.rst | |
parent | 82fcd81b2c1e9c82ad7b649a01616296142c205b (diff) | |
download | docs-7a5fc4dcd45b131a8dc255f6f7f74a536fac7339.tar.gz docs-7a5fc4dcd45b131a8dc255f6f7f74a536fac7339.tar.bz2 docs-7a5fc4dcd45b131a8dc255f6f7f74a536fac7339.zip |
-close resolved FIXMEs
Diffstat (limited to 'taler-exchange-setup-guide.rst')
-rw-r--r-- | taler-exchange-setup-guide.rst | 63 |
1 files changed, 19 insertions, 44 deletions
diff --git a/taler-exchange-setup-guide.rst b/taler-exchange-setup-guide.rst index cf08d0a4..82b5a5b3 100644 --- a/taler-exchange-setup-guide.rst +++ b/taler-exchange-setup-guide.rst @@ -136,9 +136,6 @@ directive and should end with ``.secret.conf``. To view the entire configuration annotated with the source of each configuration option, you can use the ``taler-config`` helper: -.. - FIXME: mostly all the configuration files are owned root:root. Is that wanted? - Wasn't taler-exchange-httpd supposed to own those? CG: Well, for MOST of the configuration files, root-ownage is OK, but I agree that merchant-db.secret.conf and exchange-accountcredentials.secret.conf have the wrong roup owner and permissions, and exchange-db.secret.conf should probably be 640 instead of 660. .. code-block:: shell-session @@ -176,12 +173,9 @@ to compartmentalize different parts of the system: The exchange setup uses the following system groups: * taler-exchange-db: group for all Taler users with direct database access, specifically taler-exchange-httpd, taler-exchange-wire, taler-exchange-closer and taler-exchange-aggregator -* taler-exchange-secmod: group for processes with access to online signing keys, so taler-exchange-secmod-rsa, taler-exchange-secmod-eddsa and taler-exchange-httpd +* taler-exchange-secmod: group for processes with access to online signing keys; this group must have three users: taler-exchange-secmod-rsa, taler-exchange-secmod-eddsa and taler-exchange-httpd * taler-exchange-offline: group for the access to the offline private key (only used on the offline host and not used on the online system) -.. - FIXME: "taler-exchange-secmod: group for processes with access to online signing keys, so taler-exchange-secmod-rsa, taler-exchange-secmod-eddsa and taler-exchange-httpd .... what?" Seems that this sentence lacks conclusion. - The package will deploy systemd service files in @@ -252,13 +246,6 @@ reasonable denomination structure. taler-wallet-cli deployment gen-coin-config --min-amount EUR:0.01 --max-amount EUR:100 > /etc/taler/conf.d/exchange-coins.conf -.. note:: - - FIXME: change tool to not take currency from configuration, but instead - to accept unit currency as the argument; (i.e. EUR:0.0025). Also take - another argument for how many denominations to generate (2^XX). Finally, - do use the unit currency as the default deposit fee. - You can manually review and edit the generated configuration file. The main change that is possibly required is updating the various fees. @@ -306,14 +293,8 @@ The HTTP port and database connection string can be edited in the configuration: LIBEUFIN_NEXUS_DB_CONNECTION=jdbc:sqlite:/var/lib/libeufin/nexus/nexus-db.sqlite3 After configuring the database, you can start the service. -The database is initialized automatically, there is no ``dbinit`` command -for the LibEuFin nexus. +The database is initialized automatically. -.. - FIXME: 'dbinit' isn't a (exact) name for exchane and merchant, but this way - the reader might wrongly think it is. Also, steps that should NOT be taken - could - by not being mentioned - spare time (to the reader) and space to the - document. So the part after comma for me can be removed. .. code-block:: shell-session @@ -779,34 +760,28 @@ Finally we need to grant the other accounts limited access: .. code-block:: shell-session - [root@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-aggregator";' \ - | sudo -u taler-exchange-httpd psql taler-exchange - [root@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-closer";' \ - | sudo -u taler-exchange-httpd psql taler-exchange - [root@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-wire";' \ - | sudo -u taler-exchange-httpd psql taler-exchange - [root@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO "taler-exchange-aggregator";' \ - | sudo -u taler-exchange-httpd psql taler-exchange - [root@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO "taler-exchange-closer";' \ - | sudo -u taler-exchange-httpd psql taler-exchange - [root@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO "taler-exchange-wire";' \ - | sudo -u taler-exchange-httpd psql taler-exchange - -.. - FIXME: the above commands do work, except that they produce a eye-unfriendly "cannot change to /root directory" - message after the execution. This might be avoided by first getting a shell as the taler-exchange-httpd user - and then run the SQL statements. + [root@exchange-online]# sudo -u taler-exchange-httpd bash + [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-aggregator";' \ + | psql taler-exchange + [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-closer";' \ + | psql taler-exchange + [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-wire";' \ + | psql taler-exchange + [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO "taler-exchange-aggregator";' \ + | psql taler-exchange + [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO "taler-exchange-closer";' \ + | psql taler-exchange + [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO "taler-exchange-wire";' \ + | psql taler-exchange + [taler-exchange-httpd@exchange-online]# exit .. note:: The above instructions for changing database permissions only work *after* having initialized the database with ``taler-exchange-dbinit``, as - the tables to exist before permissions can be granted on them. - -.. - - FIXME: Why don't we grant the permissions to the schema / database then? - + the tables to exist before permissions can be granted on them. The + ``taler-exchange-dbinit`` tool cannot setup these permissions, as it + does not know which users will be used for which processes. Offline Signing Setup |