[taler-ansible-taler-exchange] branch master updated: fix auditor permissions

[gnunet]

This is an automated email from the git hooks/post-receive script.

grothoff pushed a commit to branch master
in repository ansible-taler-exchange.

The following commit(s) were added to refs/heads/master by this push:
     new 999a0d7  fix auditor permissions
999a0d7 is described below

commit 999a0d73c08417f3cc5fbc56d76f5219046914f1
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Tue Dec 24 22:24:45 2024 +0100

    fix auditor permissions
---
 README                                             |  3 ++
 TODO                                               |  2 -
 roles/auditor/tasks/main.yml                       | 47 ++++++++++++++++++++--
 .../conf.d/taler-auditor-master.conf.j2            | 21 ++++++++++
 ...ditor-accountcredentials-primary.secret.conf.j2 |  1 +
 .../conf.d/exchange-business.conf.j2               |  2 -
 6 files changed, 68 insertions(+), 8 deletions(-)

diff --git a/README b/README
index 77627a1..06a6df9 100644
--- a/README
+++ b/README
@@ -6,6 +6,9 @@ First, install the prometheus collection using:
 
 $ ansible-galaxy collection install prometheus.prometheus
 
+Depending on your local installation, you may also need:
+
+$ ansible-galaxy collection install community.postgresql
 
 ## Running the Playbook
 
diff --git a/TODO b/TODO
index 32f1b96..1c3aa14 100644
--- a/TODO
+++ b/TODO
@@ -10,8 +10,6 @@
   => right now uses Bearer token. Is that OK?
 
 @CG:
-- auditor lacks rights to access exchange-DB
-- FIXMEs in auditor about configuration details (libeufin access!)
 - add playbooks to TOPS to import/export libeufin transactions
 
 ----
diff --git a/roles/auditor/tasks/main.yml b/roles/auditor/tasks/main.yml
index 69b2ed4..d6b21dc 100644
--- a/roles/auditor/tasks/main.yml
+++ b/roles/auditor/tasks/main.yml
@@ -94,15 +94,54 @@
     group: root
     mode: 0644
 
-# FIXME: copy over configs for exchange-database,
-# exchange-bank account and denominations to auditor/config.d/!
-
 - name: Setup Taler Auditor database
   shell:
     cmd: taler-auditor-dbconfig -c /etc/taler-auditor/taler-auditor.conf
     chdir: /tmp
 
-# FIXME: grant auditor access to the *exchange* database!
+- name: Configure auditor access to exchange bank account
+  ansible.builtin.template:
+    src: 
templates/etc/taler-auditor/secrets/auditor-accountcredentials-primary.secret.conf.j2
+    dest: 
/etc/taler-auditor/secrets/auditor-accountcredentials-primary.secret.conf
+    owner: taler-auditor-httpd
+    group: root
+    mode: 0400
+
+- name: Grant access to exchange database
+  community.postgresql.postgresql_privs:
+    database: taler-exchange
+    state: present
+    privs: SELECT
+    schema: exchange
+    objs: ALL_IN_SCHEMA
+    role: taler-auditor-httpd
+    grant_option: false
+  become: yes
+  become_user: postgres
+
+- name: Grant access to exchange database versioning
+  community.postgresql.postgresql_privs:
+    database: taler-exchange
+    state: present
+    privs: SELECT
+    schema: _v
+    objs: ALL_IN_SCHEMA
+    role: taler-auditor-httpd
+    grant_option: false
+  become: yes
+  become_user: postgres
+
+- name: Grant usage to exchange database versioning
+  community.postgresql.postgresql_privs:
+    database: taler-exchange
+    state: present
+    privs: USAGE
+    type: schema
+    objs: _v
+    role: taler-auditor-httpd
+    grant_option: false
+  become: yes
+  become_user: postgres
 
 - name: Ensure taler-auditor service is enabled and started
   service:
diff --git 
a/roles/auditor/templates/etc/taler-auditor/conf.d/taler-auditor-master.conf.j2 
b/roles/auditor/templates/etc/taler-auditor/conf.d/taler-auditor-master.conf.j2
index 050d6a6..8f057e6 100644
--- 
a/roles/auditor/templates/etc/taler-auditor/conf.d/taler-auditor-master.conf.j2
+++ 
b/roles/auditor/templates/etc/taler-auditor/conf.d/taler-auditor-master.conf.j2
@@ -7,3 +7,24 @@ SERVE = unix
 CURRENCY = {{ CURRENCY }}
 CURRENCY_ROUND_UNIT = {{ CURRENCY_ROUND_UNIT }}
 DB = postgres
+
+# Here you MUST add the master public key of the offline system
+# which you can get using `taler-exchange-offline setup`.
+MASTER_PUBLIC_KEY = {{ EXCHANGE_MASTER_PUB }}
+
+
+# Bank accounts used by the exchange should be specified here:
+[exchange-account-primary]
+
+ENABLE_CREDIT = YES
+ENABLE_DEBIT = YES
+
+# Account identifier in the form of an RFC-8905 payto:// URI.
+# For SEPA, looks like payto://sepa/$IBAN?receiver-name=$NAME
+# Make sure to URL-encode spaces in $NAME!
+PAYTO_URI = {{ EXCHANGE_BANK_ACCOUNT_PAYTO }}
+
+
+# Credentials to access the account are in a separate
+# config file with restricted permissions.
+@inline-secret@ exchange-accountcredentials-primary 
../secrets/auditor-accountcredentials-primary.secret.conf
diff --git 
a/roles/auditor/templates/etc/taler-auditor/secrets/auditor-accountcredentials-primary.secret.conf.j2
 
b/roles/auditor/templates/etc/taler-auditor/secrets/auditor-accountcredentials-primary.secret.conf.j2
new file mode 120000
index 0000000..b1a9a20
--- /dev/null
+++ 
b/roles/auditor/templates/etc/taler-auditor/secrets/auditor-accountcredentials-primary.secret.conf.j2
@@ -0,0 +1 @@
+../../../../../exchange/templates/etc/taler-exchange/secrets/exchange-accountcredentials-primary.secret.conf.j2
\ No newline at end of file
diff --git 
a/roles/exchange/templates/etc/taler-exchange/conf.d/exchange-business.conf.j2 
b/roles/exchange/templates/etc/taler-exchange/conf.d/exchange-business.conf.j2
index 81884e1..2602b33 100644
--- 
a/roles/exchange/templates/etc/taler-exchange/conf.d/exchange-business.conf.j2
+++ 
b/roles/exchange/templates/etc/taler-exchange/conf.d/exchange-business.conf.j2
@@ -9,8 +9,6 @@ TINY_AMOUNT = {{ CURRENCY_ROUND_UNIT }}
 
 # Here you MUST add the master public key of the offline system
 # which you can get using `taler-exchange-offline setup`.
-# This is just an example, your key will be different!
-# MASTER_PUBLIC_KEY = YE6Q6TR1EDB7FD0S68TGDZGF1P0GHJD2S0XVV8R2S62MYJ6HJ4ZG
 MASTER_PUBLIC_KEY = {{ EXCHANGE_MASTER_PUB }}
 
 # Publicly visible base URL of the exchange.

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.