[taler-docs] branch master updated: -close resolved FIXMEs

gnunet-svn
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-docs] branch master updated: -close resolved FIXMEs

From:	gnunet
Subject:	[taler-docs] branch master updated: -close resolved FIXMEs
Date:	Fri, 06 Aug 2021 23:03:26 +0200
This is an automated email from the git hooks/post-receive script.

grothoff pushed a commit to branch master
in repository docs.

The following commit(s) were added to refs/heads/master by this push:
     new 7a5fc4d  -close resolved FIXMEs
7a5fc4d is described below

commit 7a5fc4dcd45b131a8dc255f6f7f74a536fac7339
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Fri Aug 6 23:03:23 2021 +0200

    -close resolved FIXMEs
---
 taler-exchange-setup-guide.rst | 63 +++++++++++++-----------------------------
 1 file changed, 19 insertions(+), 44 deletions(-)

diff --git a/taler-exchange-setup-guide.rst b/taler-exchange-setup-guide.rst
index cf08d0a..82b5a5b 100644
--- a/taler-exchange-setup-guide.rst
+++ b/taler-exchange-setup-guide.rst
@@ -136,9 +136,6 @@ directive and should end with ``.secret.conf``.
 To view the entire configuration annotated with the source of each 
configuration option, you
 can use the ``taler-config`` helper:
 
-..
-  FIXME: mostly all the configuration files are owned root:root.  Is that 
wanted?
-  Wasn't taler-exchange-httpd supposed to own those? CG: Well, for MOST of the 
configuration files, root-ownage is OK, but I agree that 
merchant-db.secret.conf and exchange-accountcredentials.secret.conf have the 
wrong roup owner and permissions, and exchange-db.secret.conf should probably 
be 640 instead of 660.
 
 .. code-block:: shell-session
 
@@ -176,12 +173,9 @@ to compartmentalize different parts of the system:
 The exchange setup uses the following system groups:
 
 * taler-exchange-db: group for all Taler users with direct database access, 
specifically taler-exchange-httpd, taler-exchange-wire, taler-exchange-closer 
and taler-exchange-aggregator
-* taler-exchange-secmod: group for processes with access to online signing 
keys, so taler-exchange-secmod-rsa, taler-exchange-secmod-eddsa and 
taler-exchange-httpd
+* taler-exchange-secmod: group for processes with access to online signing 
keys; this group must have three users: taler-exchange-secmod-rsa, 
taler-exchange-secmod-eddsa and taler-exchange-httpd
 * taler-exchange-offline: group for the access to the offline private key 
(only used on the offline host and not used on the online system)
 
-..
-  FIXME: "taler-exchange-secmod: group for processes with access to online 
signing keys, so taler-exchange-secmod-rsa, taler-exchange-secmod-eddsa and 
taler-exchange-httpd .... what?"  Seems that this sentence lacks conclusion.
-
 
 
 The package will deploy systemd service files in
@@ -252,13 +246,6 @@ reasonable denomination structure.
 
   taler-wallet-cli deployment gen-coin-config --min-amount EUR:0.01 
--max-amount EUR:100 > /etc/taler/conf.d/exchange-coins.conf
 
-.. note::
-
-   FIXME: change tool to not take currency from configuration, but instead
-   to accept unit currency as the argument; (i.e. EUR:0.0025). Also take
-   another argument for how many denominations to generate (2^XX). Finally,
-   do use the unit currency as the default deposit fee.
-
 You can manually review and edit the generated configuration file. The main
 change that is possibly required is updating the various fees.
 
@@ -306,14 +293,8 @@ The HTTP port and database connection string can be edited 
in the configuration:
   
LIBEUFIN_NEXUS_DB_CONNECTION=jdbc:sqlite:/var/lib/libeufin/nexus/nexus-db.sqlite3
 
 After configuring the database, you can start the service.
-The database is initialized automatically, there is no ``dbinit`` command
-for the LibEuFin nexus.
+The database is initialized automatically.
 
-..
-  FIXME: 'dbinit' isn't a (exact) name for exchane and merchant, but this way
-  the reader might wrongly think it is.  Also, steps that should NOT be taken
-  could - by not being mentioned - spare time (to the reader) and space to the
-  document.  So the part after comma for me can be removed.
 
 .. code-block:: shell-session
 
@@ -779,34 +760,28 @@ Finally we need to grant the other accounts limited 
access:
 
 .. code-block:: shell-session
 
-  [root@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN 
SCHEMA public TO "taler-exchange-aggregator";' \
-    | sudo -u taler-exchange-httpd psql taler-exchange
-  [root@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN 
SCHEMA public TO "taler-exchange-closer";' \
-    | sudo -u taler-exchange-httpd psql taler-exchange
-  [root@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN 
SCHEMA public TO "taler-exchange-wire";' \
-    | sudo -u taler-exchange-httpd psql taler-exchange
-  [root@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public 
TO "taler-exchange-aggregator";' \
-    | sudo -u taler-exchange-httpd psql taler-exchange
-  [root@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public 
TO "taler-exchange-closer";' \
-    | sudo -u taler-exchange-httpd psql taler-exchange
-  [root@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES IN SCHEMA public 
TO "taler-exchange-wire";' \
-    | sudo -u taler-exchange-httpd psql taler-exchange
-
-..
-  FIXME: the above commands do work, except that they produce a eye-unfriendly 
"cannot change to /root directory"
-  message after the execution.  This might be avoided by first getting a shell 
as the taler-exchange-httpd user
-  and then run the SQL statements.
+  [root@exchange-online]# sudo -u taler-exchange-httpd bash
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON 
ALL TABLES IN SCHEMA public TO "taler-exchange-aggregator";' \
+    | psql taler-exchange
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON 
ALL TABLES IN SCHEMA public TO "taler-exchange-closer";' \
+    | psql taler-exchange
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON 
ALL TABLES IN SCHEMA public TO "taler-exchange-wire";' \
+    | psql taler-exchange
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES 
IN SCHEMA public TO "taler-exchange-aggregator";' \
+    | psql taler-exchange
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES 
IN SCHEMA public TO "taler-exchange-closer";' \
+    | psql taler-exchange
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES 
IN SCHEMA public TO "taler-exchange-wire";' \
+    | psql taler-exchange
+  [taler-exchange-httpd@exchange-online]# exit
 
 .. note::
 
    The above instructions for changing database permissions only work *after*
    having initialized the database with ``taler-exchange-dbinit``, as
-   the tables to exist before permissions can be granted on them.
-
-..
-
-  FIXME: Why don't we grant the permissions to the schema / database then?
-
+   the tables to exist before permissions can be granted on them. The
+   ``taler-exchange-dbinit`` tool cannot setup these permissions, as it
+   does not know which users will be used for which processes.
 
 
 Offline Signing Setup

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread]
Current Thread
[Next in Thread]
[taler-docs] branch master updated: -close resolved FIXMEs, gnunet <=
Prev by Date: [taler-docs] branch master updated: typo
Next by Date: [taler-docs] branch master updated: -fix typo
Previous by thread: [taler-docs] branch master updated: -fixes + fixme notes (exchange setup guide)
Next by thread: [taler-docs] branch master updated: -fix typo
Index(es):
- Date
- Thread