Forum OpenACS Development: problem with updating acs-kernel

Collapse
1: problem with updating acs-kernel
Posted by Rafael Calvo on 02/27/02 03:03 AM
Hi I just updated the core packages form CVS.
I get the following message, that I don't remember seeing before: 
To install the kernel datamodel in PostgreSQL 7.1 database user named
in your AOLserver database pools must have the CREATEUSER
       privilege. You must drop your database and user and recreate
the user, answering "yes" when asked if the new user should be able to
create
       other users.

I didn't want to drop the DB as I have already some data there, and recovering from a backaup that might have a different data model might be a mess... I tried 
alter user nsadmin CREATEUSER
but didn't work...any ideas?
Collapse
2: Response to problem with updating acs-kernel (response to 1)
Posted by David Walker on 02/27/02 03:39 AM
Were you user postgres when you issued this command?

I don't know exactly how it works but I suspect you must have createuser
privilege in order to bestow createuser privilege.

Collapse
3: Response to problem with updating acs-kernel (response to 1)
Posted by Don Baccus on 02/27/02 03:42 AM
Unfortunately "alter user nsadmin createuser" doesn't appear to grant the superuser permission to the user.  However, if the user is already a superuser and you remove the permission that works really great!

The need for this privilege will go away when running PG 7.2, at some point.

What you need to do is to pg_dump your database, drop the database and user, recreate the user with the superuser privilege, load acs-kernel/sql/postgresql.sql, then reload your data.

I suggest trying this on a test system before dropping your database and data, though.

You'll get some duplicate function definition errors when you reload but these are safely ignored.

Collapse
4: Response to problem with updating acs-kernel (response to 1)
Posted by David Walker on 02/27/02 03:55 AM
Well I felt the call of the hack and came up with

update pg_shadow set usecreatedb='t' where usename='testuser';

Not as elegant as the alter user statement but it does work on my Postgres
7.1 box.

Collapse
5: Response to problem with updating acs-kernel (response to 1)
Posted by Rafael Calvo on 02/27/02 04:16 AM
I tried what Don said: I get 
RROR:  pg_proc: Permission denied.
DROP
ERROR:  Function 'tree_ancestor_keys(varbit, int4)' does not exist
        Unable to identify a function that satisfies the given argument types
        You may need to add explicit typecasts
CREATE
CREATE
 create_user_col_comments 
--------------------------
 t
(1 row)

DROP
CREATE
NOTICE:  CREATE TABLE/PRIMARY KEY will create implicit index 'acs_function_args_pk' for table 'acs_function_args'
NOTICE:  CREATE TABLE/UNIQUE will create implicit index 'acs_function_args_un' for table 'acs_function_args'
similar to what I get in the log when I tried to start it after deleting the db.
before this I just did: dropdb mysite createdb -U nsadmin mysite createlang plpgsql mysite other ideas?
Collapse
6: Response to problem with updating acs-kernel (response to 1)
Posted by Rafael Calvo on 02/27/02 04:19 AM
BTW,
postgres does not ask me about the permissions for the user nsadmin.
I am creating the DB as user postgres
Collapse
7: Response to problem with updating acs-kernel (response to 1)
Posted by Jowell Sabino on 02/27/02 04:22 AM
Pardon me if this solution is silly, but it seems to me that in openacs we require the database user (aolserver) to have database superuser privileges (after all, the user must be able to create another user and a database). So... why not confer aolserver the superuser identity, without actually creating a new database user or dumping/restoring the existing database, by using the "peer" authentication model? That is, in pg_hba.conf have 
localhost all peer openacs
and in pg_ident.conf, 
openacs   aolserver  postgres
where "aolserver" is the owner of the aolserver process, and "postgres" is the database superuser? Whoever owns the database that contains the data will now be accessed by "aolserver" as the "postgres" superuser, which should give all access.

Don, am I totally off here?

Collapse
8: Response to problem with updating acs-kernel (response to 1)
Posted by Rafael Calvo on 02/27/02 04:34 AM
Hi Jowell!

I don't know about your idea, but just wanted to comment/ask that some use nsadmin instead of aolserver as aolserver admin. The docuemnation used to be (I dont know know) ambiguous about it.

Collapse
9: Response to problem with updating acs-kernel (response to 1)
Posted by Rafael Calvo on 02/27/02 04:52 AM
Well, I deleted the user (for which I had to delete all of its DB) and it worked
Collapse
10: Response to problem with updating acs-kernel (response to 1)
Posted by Don Baccus on 02/27/02 04:11 PM
Actually ... David Walker's solution is a good one and needs to be snarfed for the documentation.  Apparently alter user doesn't modify pg_shadow, which is why it doesn't work.

Jowell ... after the datamodel's loaded, there should be no need for the database user to have PG superuser rights, and in PG 7.2 shouldn't even be needed to load the datamodel.

I hope, at least.

Collapse
11: Response to problem with updating acs-kernel (response to 1)
Posted by Don Baccus on 02/27/02 04:17 PM
Of course a PG superuser needs to do the "createlang" on the database, but this doesn't need to be done by the user who owns the database and who accesses it via the AOLserver driver.