From 1f76b31ecd250b211ed102ecda31943c49208d8b Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Fri, 15 Sep 2023 09:51:31 +0200 Subject: dbconfig now also deals with permissions --- taler-exchange-manual.rst | 46 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 32 insertions(+), 14 deletions(-) (limited to 'taler-exchange-manual.rst') diff --git a/taler-exchange-manual.rst b/taler-exchange-manual.rst index d84214b2..df05fbfc 100644 --- a/taler-exchange-manual.rst +++ b/taler-exchange-manual.rst @@ -541,7 +541,7 @@ The following users must have access to the exchange database: * taler-exchange-closer These users are all in the taler-exchange-db group, and the -``exchange-db.secret.conf`` should already be only readable by users in +``exchange-db.secret.conf`` should be only readable by users in this group. .. note:: @@ -549,8 +549,8 @@ this group. The **taler-exchange-dbconfig** tool can be used to automate the database setup. When using the Debian/Ubuntu packages, the users should already have been created, so you can just run the tool without any arguments and should - have a working database configuration. Subsequently, must still grant - access to the other users (see below). (NOTE: we should automate this.) + have a working database configuration. The rest of this section only + explains what the **taler-exchange-dbconfig** shell script fully automates. To create a database for the Taler exchange on the local system, run: @@ -608,17 +608,17 @@ Finally we need to grant the other accounts limited access: .. code-block:: shell-session [root@exchange-online]# sudo -u taler-exchange-httpd bash - [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-aggregator";' \ + [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA exchange TO "taler-exchange-aggregator";' \ | psql taler-exchange - [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-closer";' \ + [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA exchange TO "taler-exchange-closer";' \ | psql taler-exchange - [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-wire";' \ + [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA exchange TO "taler-exchange-wire";' \ | psql taler-exchange - [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO "taler-exchange-aggregator";' \ + [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA exchange TO "taler-exchange-aggregator";' \ | psql taler-exchange - [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO "taler-exchange-closer";' \ + [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA exchange TO "taler-exchange-closer";' \ | psql taler-exchange - [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO "taler-exchange-wire";' \ + [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA exchange TO "taler-exchange-wire";' \ | psql taler-exchange [taler-exchange-httpd@exchange-online]# exit @@ -626,7 +626,7 @@ Finally we need to grant the other accounts limited access: The above instructions for changing database permissions only work *after* having initialized the database with ``taler-exchange-dbinit``, as - the tables to exist before permissions can be granted on them. The + the tables need to exist before permissions can be granted on them. The ``taler-exchange-dbinit`` tool cannot setup these permissions, as it does not know which users will be used for which processes. @@ -2167,10 +2167,27 @@ The database scheme used by the exchange looks as follows: Database upgrades ----------------- -Currently, there is no way to upgrade the database between Taler -versions. +Before installing a new exchange version, you should probably make a backup of +the existing database and study the release notes on migration. In general, +the way to migrate is to stop all existing Taler exchange processes and run: -The exchange database can be re-initialized using: +.. code-block:: console + + $ taler-exchange-dbinit + +This will migrate the existing schema to the new schema. You also may need +to grant Taler exchange processes the rights to the new tables (see last +step of database setup). + +.. note:: + + The **taler-exchange-dbconfig** tool can be used to automate the database + migration. In general, simply invoking it again should trigger the + migration including **taler-exchange-dbinit** and setting the permissions. + + +If you do not want to keep any data from the previous installation, the +exchange database can be fully re-initialized using: .. code-block:: console @@ -2179,7 +2196,8 @@ The exchange database can be re-initialized using: However, running this command will result in all data in the database being lost, which may result in significant financial liabilities as the exchange can then not detect double-spending. Hence this operation must -not be performed in a production system. +not be performed in a production system. You still also need to then +grant the permissions to the other exchange processes again. -- cgit v1.2.3