[taler-docs] branch master updated: dbconfig now also deals with permissions

[gnunet]

This is an automated email from the git hooks/post-receive script.

grothoff pushed a commit to branch master
in repository docs.

The following commit(s) were added to refs/heads/master by this push:
     new 1f76b31e dbconfig now also deals with permissions
1f76b31e is described below

commit 1f76b31ecd250b211ed102ecda31943c49208d8b
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Fri Sep 15 09:51:31 2023 +0200

    dbconfig now also deals with permissions
---
 taler-exchange-manual.rst | 46 ++++++++++++++++++++++++++++++++--------------
 1 file changed, 32 insertions(+), 14 deletions(-)

diff --git a/taler-exchange-manual.rst b/taler-exchange-manual.rst
index d84214b2..df05fbfc 100644
--- a/taler-exchange-manual.rst
+++ b/taler-exchange-manual.rst
@@ -541,7 +541,7 @@ The following users must have access to the exchange 
database:
 * taler-exchange-closer
 
 These users are all in the taler-exchange-db group, and the
-``exchange-db.secret.conf`` should already be only readable by users in
+``exchange-db.secret.conf`` should be only readable by users in
 this group.
 
 .. note::
@@ -549,8 +549,8 @@ this group.
    The **taler-exchange-dbconfig** tool can be used to automate the database
    setup. When using the Debian/Ubuntu packages, the users should already have
    been created, so you can just run the tool without any arguments and should
-   have a working database configuration.  Subsequently, must still grant
-   access to the other users (see below). (NOTE: we should automate this.)
+   have a working database configuration. The rest of this section only
+   explains what the **taler-exchange-dbconfig** shell script fully automates.
 
 To create a database for the Taler exchange on the local system, run:
 
@@ -608,17 +608,17 @@ Finally we need to grant the other accounts limited 
access:
 .. code-block:: shell-session
 
   [root@exchange-online]# sudo -u taler-exchange-httpd bash
-  [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON 
ALL TABLES IN SCHEMA public TO "taler-exchange-aggregator";' \
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON 
ALL TABLES IN SCHEMA exchange TO "taler-exchange-aggregator";' \
     | psql taler-exchange
-  [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON 
ALL TABLES IN SCHEMA public TO "taler-exchange-closer";' \
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON 
ALL TABLES IN SCHEMA exchange TO "taler-exchange-closer";' \
     | psql taler-exchange
-  [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON 
ALL TABLES IN SCHEMA public TO "taler-exchange-wire";' \
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT SELECT,INSERT,UPDATE ON 
ALL TABLES IN SCHEMA exchange TO "taler-exchange-wire";' \
     | psql taler-exchange
-  [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES 
IN SCHEMA public TO "taler-exchange-aggregator";' \
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES 
IN SCHEMA exchange TO "taler-exchange-aggregator";' \
     | psql taler-exchange
-  [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES 
IN SCHEMA public TO "taler-exchange-closer";' \
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES 
IN SCHEMA exchange TO "taler-exchange-closer";' \
     | psql taler-exchange
-  [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES 
IN SCHEMA public TO "taler-exchange-wire";' \
+  [taler-exchange-httpd@exchange-online]# echo 'GRANT USAGE ON ALL SEQUENCES 
IN SCHEMA exchange TO "taler-exchange-wire";' \
     | psql taler-exchange
   [taler-exchange-httpd@exchange-online]# exit
 
@@ -626,7 +626,7 @@ Finally we need to grant the other accounts limited access:
 
    The above instructions for changing database permissions only work *after*
    having initialized the database with ``taler-exchange-dbinit``, as
-   the tables to exist before permissions can be granted on them. The
+   the tables need to exist before permissions can be granted on them. The
    ``taler-exchange-dbinit`` tool cannot setup these permissions, as it
    does not know which users will be used for which processes.
 
@@ -2167,10 +2167,27 @@ The database scheme used by the exchange looks as 
follows:
 Database upgrades
 -----------------
 
-Currently, there is no way to upgrade the database between Taler
-versions.
+Before installing a new exchange version, you should probably make a backup of
+the existing database and study the release notes on migration.  In general,
+the way to migrate is to stop all existing Taler exchange processes and run:
 
-The exchange database can be re-initialized using:
+.. code-block:: console
+
+   $ taler-exchange-dbinit
+
+This will migrate the existing schema to the new schema. You also may need
+to grant Taler exchange processes the rights to the new tables (see last
+step of database setup).
+
+.. note::
+
+   The **taler-exchange-dbconfig** tool can be used to automate the database
+   migration. In general, simply invoking it again should trigger the
+   migration including **taler-exchange-dbinit** and setting the permissions.
+
+
+If you do not want to keep any data from the previous installation, the
+exchange database can be fully re-initialized using:
 
 .. code-block:: console
 
@@ -2179,7 +2196,8 @@ The exchange database can be re-initialized using:
 However, running this command will result in all data in the database
 being lost, which may result in significant financial liabilities as the
 exchange can then not detect double-spending. Hence this operation must
-not be performed in a production system.
+not be performed in a production system. You still also need to then
+grant the permissions to the other exchange processes again.
 
 
 

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.