Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0045385
TypeCategorySeverityReproducibilityDate SubmittedLast Update
design defect[Openbravo ERP] A. Platformmajorhave not tried2020-11-05 15:522020-11-27 07:23
ReportershuehnerView Statuspublic 
Assigned Toshuehner 
PrioritynormalResolutionfixedFixed in VersionPR21Q1
StatusclosedFix in branchFixed in SCM revision
ProjectionnoneETAnoneTarget VersionPR21Q1
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned To
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0045385: Cannot run and create.database twice against AWS RDS database: ERROR: must be owner of database openbravo

DescriptionUsing Amazon RDS postgres variant running ant create.database a second time fails with error
/opt/OpenbravoERP/src-db/database/build-create.xml:104: org.postgresql.util.PSQLException: ERROR: must be owner of database openbravo

Cause is the 'postgres' aka masteruser from RDS with role rds_superuser does not allow 'drop database' if a database not owned by this user.

That is different behavior from 'postgres' superuser in standard PostgreSQL which allows doing that.
Steps To ReproduceCreate Amazon RDS environment (i.e. v12)
configure Openbravo.properties:
- bbdd.url to point to 'endpoint' for RDS instance
- user + userPassword i.e. tad/tad (not important)
- systemUser = <username of masteruser on RDS creation>
- systemPassword = <password of masteruser>

ant create.database (first time)
ant create.database (2nd time)

Observe the permissions error on 2nd run when the 'drop database openbravo' SQL command is executed.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
depends on backport 0045514PR20Q4 closedshuehner Cannot run and create.database twice against AWS RDS database: ERROR: must be owner of database openbravo 

-  Notes
(0124621)
hgbot (developer)
2020-11-25 18:27

Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/245 [^]
(0124638)
hgbot (developer)
2020-11-27 07:23

Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/245 [^]
(0124639)
hgbot (developer)
2020-11-27 07:23

Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/openbravo [^]
Changeset: 6e413f3e92249eb8555b75dba53552674db51526
Author: Stefan Huehner <stefan.huehner@openbravo.com>
Date: 2020-11-25T17:15:25+00:00
URL: https://gitlab.com/openbravo/product/openbravo/-/commit/6e413f3e92249eb8555b75dba53552674db51526 [^]

Fixes ISSUE-45385: Fix repeated create.database error with RDS

Amazon RDS (managed postgres) behaves different with regards of
permissions for 'DROP DATABASE' run by a user which is not the owner of
the database:

The 'ant create.database' command does DROP the configured database (if
it exists) before creating it again (to allow to run the command
repeatedly). That 'DROP DATABASE' is run with the configured bbdd.systemUser
which is typically the PostgreSQL superuser.

Standard PostgreSQL allows the database superuser (typically called
postgres) to drop any database (also if those are owned by different
users like 'tad'

Amazon RDS has a masteruser (with rds_admin role granted) which is the
equivalent of the postgres superuser but which is not allowed to DROP
databases not owned by itself (but it is allowed to take over ownership
of any databasE)

To make that work transparently for the user take over the ownership of
the database just before the 'DROP DATABASE' command to avoid that
permission error.
The 'ALTER DATABASE' command does not have an option 'IF EXISTS' so to
not make it fail in the first use of 'ant create.database' where the
database does not yet exist check for the database to exist before
running the command with an plpgsql DO block.

As the database is being DROPped right after the ownership change does
not have any permanent side-effect. Do avoid the database owner being
change permanently run the ALTER command in the same transaction as the
DROP command. That avoid the different owner leaking in case of the DROP
failing (i.e. when 1 common user is used to create several databases as
it is used ometimes on some developer systems)

---
M src-db/database/build-create.xml
---

- Issue History
Date Modified Username Field Change
2020-11-05 15:52 shuehner New Issue
2020-11-05 15:52 shuehner Assigned To => shuehner
2020-11-05 15:52 shuehner Modules => Core
2020-11-05 15:52 shuehner Triggers an Emergency Pack => No
2020-11-25 18:23 shuehner Status new => scheduled
2020-11-25 18:27 hgbot Note Added: 0124621
2020-11-27 07:23 hgbot Note Added: 0124638
2020-11-27 07:23 hgbot Resolution open => fixed
2020-11-27 07:23 hgbot Status scheduled => closed
2020-11-27 07:23 hgbot Fixed in Version => PR21Q1
2020-11-27 07:23 hgbot Note Added: 0124639


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker