[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-docs] branch master updated: -close resolved FIXMEs
From: |
gnunet |
Subject: |
[taler-docs] branch master updated: -close resolved FIXMEs |
Date: |
Fri, 06 Aug 2021 23:03:26 +0200 |
This is an automated email from the git hooks/post-receive script.
grothoff pushed a commit to branch master
in repository docs.
The following commit(s) were added to refs/heads/master by this push:
new 7a5fc4d -close resolved FIXMEs
7a5fc4d is described below
commit 7a5fc4dcd45b131a8dc255f6f7f74a536fac7339
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Fri Aug 6 23:03:23 2021 +0200
-close resolved FIXMEs
---
taler-exchange-setup-guide.rst | 63 +++++++++++++-----------------------------
1 file changed, 19 insertions(+), 44 deletions(-)
diff --git a/taler-exchange-setup-guide.rst b/taler-exchange-setup-guide.rst
index cf08d0a..82b5a5b 100644
--- a/taler-exchange-setup-guide.rst
+++ b/taler-exchange-setup-guide.rst
@@ -136,9 +136,6 @@ directive and should end with ``.secret.conf``.
To view the entire configuration annotated with the source of each
configuration option, you
can use the ``taler-config`` helper:
-..
- FIXME: mostly all the configuration files are owned root:root. Is that
wanted?
- Wasn't taler-exchange-httpd supposed to own those? CG: Well, for MOST of the
configuration files, root-ownage is OK, but I agree that
merchant-db.secret.conf and exchange-accountcredentials.secret.conf have the
wrong roup owner and permissions, and exchange-db.secret.conf should probably
be 640 instead of 660.
.. code-block:: shell-session
@@ -176,12 +173,9 @@ to compartmentalize different parts of the system:
The exchange setup uses the following system groups:
* taler-exchange-db: group for all Taler users with direct database access,
specifically taler-exchange-httpd, taler-exchange-wire, taler-exchange-closer
and taler-exchange-aggregator
-* taler-exchange-secmod: group for processes with access to online signing
keys, so taler-exchange-secmod-rsa, taler-exchange-secmod-eddsa and
taler-exchange-httpd
+* taler-exchange-secmod: group for processes with access to online signing
keys; this group must have three users: taler-exchange-secmod-rsa,
taler-exchange-secmod-eddsa and taler-exchange-httpd
* taler-exchange-offline: group for the access to the offline private key
(only used on the offline host and not used on the online system)
-..
- FIXME: "taler-exchange-secmod: group for processes with access to online
signing keys, so taler-exchange-secmod-rsa, taler-exchange-secmod-eddsa and
taler-exchange-httpd .... what?" Seems that this sentence lacks conclusion.
-
The package will deploy systemd service files in
@@ -252,13 +246,6 @@ reasonable denomination structure.
taler-wallet-cli deployment gen-coin-config --min-amount EUR:0.01
--max-amount EUR:100 > /etc/taler/conf.d/exchange-coins.conf
-.. note::
-
- FIXME: change tool to not take currency from configuration, but instead
- to accept unit currency as the argument; (i.e. EUR:0.0025). Also take
- another argument for how many denominations to generate (2^XX). Finally,
- do use the unit currency as the default deposit fee.
-
You can manually review and edit the generated configuration file. The main
change that is possibly required is updating the various fees.
@@ -306,14 +293,8 @@ The HTTP port and database connection string can be edited
in the configuration:
LIBEUFIN_NEXUS_DB_CONNECTION=jdbc:sqlite:/var/lib/libeufin/nexus/nexus-db.sqlite3
After configuring the database, you can start the service.
-The database is initialized automatically, there is no ``dbinit`` command
-for the LibEuFin nexus.
+The database is initialized automatically.
-..
- FIXME: 'dbinit' isn't a (exact) name for exchane and merchant, but this way
- the reader might wrongly think it is. Also, steps that should NOT be taken
- could - by not being mentioned - spare time (to the reader) and space to the
- document. So the part after comma for me can be removed.
.. code-block:: shell-session
@@ -779,34 +760,28 @@ Finally we need to grant the other accounts limited
access:
.. code-block:: shell-session
- [root@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN
SCHEMA public TO "taler-exchange-aggregator";' \
- | sudo -u taler-exchange-httpd psql taler-exchange
- [root@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN
SCHEMA public TO "taler-exchange-closer";' \
- | sudo -u taler-exchange-httpd psql taler-exchange
- [root@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN
SCHEMA public TO "taler-exchange-wire";' \
- | sudo -u taler-exchange-httpd psql taler-exchange
- [root@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public
TO "taler-exchange-aggregator";' \
- | sudo -u taler-exchange-httpd psql taler-exchange
- [root@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public
TO "taler-exchange-closer";' \
- | sudo -u taler-exchange-httpd psql taler-exchange
- [root@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public
TO "taler-exchange-wire";' \
- | sudo -u taler-exchange-httpd psql taler-exchange
-
-..
- FIXME: the above commands do work, except that they produce a eye-unfriendly
"cannot change to /root directory"
- message after the execution. This might be avoided by first getting a shell
as the taler-exchange-httpd user
- and then run the SQL statements.
+ [root@exchange-online]# sudo -u taler-exchange-httpd bash
+ [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON
ALL TABLES IN SCHEMA public TO "taler-exchange-aggregator";' \
+ | psql taler-exchange
+ [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON
ALL TABLES IN SCHEMA public TO "taler-exchange-closer";' \
+ | psql taler-exchange
+ [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON
ALL TABLES IN SCHEMA public TO "taler-exchange-wire";' \
+ | psql taler-exchange
+ [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES
IN SCHEMA public TO "taler-exchange-aggregator";' \
+ | psql taler-exchange
+ [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES
IN SCHEMA public TO "taler-exchange-closer";' \
+ | psql taler-exchange
+ [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES
IN SCHEMA public TO "taler-exchange-wire";' \
+ | psql taler-exchange
+ [taler-exchange-httpd@exchange-online]# exit
.. note::
The above instructions for changing database permissions only work *after*
having initialized the database with ``taler-exchange-dbinit``, as
- the tables to exist before permissions can be granted on them.
-
-..
-
- FIXME: Why don't we grant the permissions to the schema / database then?
-
+ the tables to exist before permissions can be granted on them. The
+ ``taler-exchange-dbinit`` tool cannot setup these permissions, as it
+ does not know which users will be used for which processes.
Offline Signing Setup
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-docs] branch master updated: -close resolved FIXMEs,
gnunet <=