Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gsa.datagov-deploy-postgresql only works the first time in sandbox #1336

Closed
adborden opened this issue Feb 7, 2020 · 4 comments
Closed

gsa.datagov-deploy-postgresql only works the first time in sandbox #1336

adborden opened this issue Feb 7, 2020 · 4 comments
Labels
component/catalog Related to catalog component playbooks/roles component/inventory Inventory playbooks/roles

Comments

@adborden
Copy link
Contributor

adborden commented Feb 7, 2020

TASK [gsa.datagov-deploy-postgresql : grant privileges for app role] *****************************************************************************************
fatal: [inventory-web1tf.internal.ci.datagov.us]: FAILED! => {"changed": false, "msg": "permission denied for relation _table_metadata\n"}

The first apply works fine, but subsequent ones fail with this error. This role is only applied to sandbox environments (we'd like them to run on production in order to rotate creds, but don't want to do that work yet).

Work-around: specify --skip-tags database when running in the sandbox to avoid running this role.

How to reproduce

  1. ansible-playbook catalog.yml --inventory inventories/ci

Expected behavior

Role applies successfully.

Actual behavior

Role fails.

@adborden adborden added compliance Relating to security compliance or documentation component/catalog Related to catalog component playbooks/roles component/inventory Inventory playbooks/roles labels Feb 7, 2020
@adborden adborden changed the title gsa.datagov-deploy-postgresql only work the first time in sandbox gsa.datagov-deploy-postgresql only works the first time in sandbox Mar 20, 2020
adborden added a commit that referenced this issue Mar 20, 2020
#1336

Currently, this role only works on a new, empty database and then we need to
skip this role after that. Let's remove the role until we can rethink and
refactor it.
@adborden
Copy link
Contributor Author

Stepping back, I think we want to simplify this role to only manage one application database and one app user. Managing the permissions gets complicated. For Inventory, which needs to create a datastore read-only user, this really needs to be handled by the application since paster generates the SQL commands. This fits better with cloud.gov, since the application is going to have to create that database user at startup.

@jbrown-xentity
Copy link
Contributor

Couldn't we design a script that runs inside the app on startup? This would then be run locally, on staging, on cloud.gov, etc while using environment variables so that we ensure this is working as expected? @adborden

@adborden
Copy link
Contributor Author

Yes! You've hit the nail on the head. What we're struggling with here is the line between platform responsibility vs application responsibility. The application is responsible for creating the schema and running migrations while the platform should be responsible for creating a database, creating a user, setting the password, and exposing those details as configuration (environment variables) to the application.

We ran into trouble here when we said the read-only datastore user should be created by the platform. But from a technical standpoint, postgresql doesn't support that very well since the read-only-ness is set using table-level permissions and really only CKAN knows about the schemas in order to do that (that's why they have a paster command to generate SQL).

So, yes, what should happen is this role should:

  • create the database
  • create a "privileged" role (that can be used by CKAN to create the datastore read-only user)
  • set the password
  • enable extensions like postgis.

Then, as you say, the startup script should run any migrations and set permissions on the datastore user. This should work the same in all environments.

We're already doing this on Dashboard. CodeIgniter has this built in at request time (I would prefer startup time, but whatever).

One catch on BSP, since CKAN is run via apache2, there's no good place to execute the startup script. This is why we need to separate CKAN into its own process (a startup script that ends with executing a wsgi program).

@mogul mogul removed the compliance Relating to security compliance or documentation label Jun 1, 2021
@nickumia-reisys
Copy link
Contributor

There are still issue with db initialization in local tests (for certain ckan extensions). But the issue of db initialization for local catalog testing and all cloud.gov spaces is resolved. There are a lot of references to list for this, but as a start,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component/catalog Related to catalog component playbooks/roles component/inventory Inventory playbooks/roles
Projects
None yet
Development

No branches or pull requests

4 participants