Wizard: Differentiate between privileges required to create and setup a db

Fixes the bug that if a database and a login are already existing and only
the schema needs to be set up, which is possible using the resource's login,
the user is required to provide another login with the seemingly missing
privileges.

refs #8707
This commit is contained in:
Johannes Meyer 2015-04-13 14:10:24 +02:00
parent 5c61405a9a
commit d038a2795d
2 changed files with 32 additions and 17 deletions

View File

@ -721,7 +721,8 @@ EOD;
foreach (array_intersect($privileges, array_keys($this->pgsqlGrantContexts)) as $privilege) { foreach (array_intersect($privileges, array_keys($this->pgsqlGrantContexts)) as $privilege) {
if (false === empty($context) && $this->pgsqlGrantContexts[$privilege] & static::TABLE_LEVEL) { if (false === empty($context) && $this->pgsqlGrantContexts[$privilege] & static::TABLE_LEVEL) {
$tablePrivileges[] = $privilege; $tablePrivileges[] = $privilege;
} elseif ($this->pgsqlGrantContexts[$privilege] & static::DATABASE_LEVEL) { }
if ($this->pgsqlGrantContexts[$privilege] & static::DATABASE_LEVEL) {
$dbPrivileges[] = $privilege; $dbPrivileges[] = $privilege;
} }
} }
@ -760,7 +761,6 @@ EOD;
// connected to the database defined in the resource configuration it is safe to just ignore them // connected to the database defined in the resource configuration it is safe to just ignore them
// as the chances are very high that the database is created later causing the current user being // as the chances are very high that the database is created later causing the current user being
// the owner with ALL privileges. (Which in turn can be granted to others.) // the owner with ALL privileges. (Which in turn can be granted to others.)
}
if (array_search('CREATE', $privileges) !== false) { if (array_search('CREATE', $privileges) !== false) {
$query = $this->query( $query = $this->query(
@ -769,6 +769,7 @@ EOD;
); );
$privilegesGranted &= $query->fetchColumn() !== false; $privilegesGranted &= $query->fetchColumn() !== false;
} }
}
if (array_search('CREATEROLE', $privileges) !== false) { if (array_search('CREATEROLE', $privileges) !== false) {
$query = $this->query( $query = $this->query(

View File

@ -17,7 +17,7 @@ use Icinga\Module\Setup\Forms\PreferencesPage;
use Icinga\Module\Setup\Forms\AuthBackendPage; use Icinga\Module\Setup\Forms\AuthBackendPage;
use Icinga\Module\Setup\Forms\AdminAccountPage; use Icinga\Module\Setup\Forms\AdminAccountPage;
use Icinga\Module\Setup\Forms\LdapDiscoveryPage; use Icinga\Module\Setup\Forms\LdapDiscoveryPage;
use Icinga\Module\Setup\Forms\LdapDiscoveryConfirmPage; //use Icinga\Module\Setup\Forms\LdapDiscoveryConfirmPage;
use Icinga\Module\Setup\Forms\LdapResourcePage; use Icinga\Module\Setup\Forms\LdapResourcePage;
use Icinga\Module\Setup\Forms\RequirementsPage; use Icinga\Module\Setup\Forms\RequirementsPage;
use Icinga\Module\Setup\Forms\GeneralConfigPage; use Icinga\Module\Setup\Forms\GeneralConfigPage;
@ -41,6 +41,17 @@ use Icinga\Module\Setup\Requirement\ConfigDirectoryRequirement;
*/ */
class WebWizard extends Wizard implements SetupWizard class WebWizard extends Wizard implements SetupWizard
{ {
/**
* The privileges required by Icinga Web 2 to create the database and a login
*
* @var array
*/
protected $databaseCreationPrivileges = array(
'CREATE',
'CREATE USER', // MySQL
'CREATEROLE' // PostgreSQL
);
/** /**
* The privileges required by Icinga Web 2 to setup the database * The privileges required by Icinga Web 2 to setup the database
* *
@ -48,10 +59,8 @@ class WebWizard extends Wizard implements SetupWizard
*/ */
protected $databaseSetupPrivileges = array( protected $databaseSetupPrivileges = array(
'CREATE', 'CREATE',
'ALTER', 'ALTER', // MySQL only
'REFERENCES', 'REFERENCES'
'CREATE USER', // MySQL
'CREATEROLE' // PostgreSQL
); );
/** /**
@ -148,7 +157,9 @@ class WebWizard extends Wizard implements SetupWizard
$page->setResourceConfig($this->getPageData('setup_ldap_resource')); $page->setResourceConfig($this->getPageData('setup_ldap_resource'));
} }
} elseif ($page->getName() === 'setup_database_creation') { } elseif ($page->getName() === 'setup_database_creation') {
$page->setDatabaseSetupPrivileges($this->databaseSetupPrivileges); $page->setDatabaseSetupPrivileges(
array_merge($this->databaseCreationPrivileges, $this->databaseSetupPrivileges)
);
$page->setDatabaseUsagePrivileges($this->databaseUsagePrivileges); $page->setDatabaseUsagePrivileges($this->databaseUsagePrivileges);
$page->setResourceConfig($this->getPageData('setup_db_resource')); $page->setResourceConfig($this->getPageData('setup_db_resource'));
} elseif ($page->getName() === 'setup_summary') { } elseif ($page->getName() === 'setup_summary') {
@ -211,8 +222,8 @@ class WebWizard extends Wizard implements SetupWizard
try { try {
$db->connectToDb(); // Are we able to login on the database? $db->connectToDb(); // Are we able to login on the database?
if (array_search(key($this->databaseTables), $db->listTables()) === false) { if (array_search(key($this->databaseTables), $db->listTables()) === false) {
// In case the database schema does not yet exist the user // In case the database schema does not yet exist the
// needs the privileges to create and setup the database // user needs the privileges to setup the database
$skip = $db->checkPrivileges($this->databaseSetupPrivileges, $this->databaseTables); $skip = $db->checkPrivileges($this->databaseSetupPrivileges, $this->databaseTables);
} else { } else {
// In case the database schema exists the user needs the required privileges // In case the database schema exists the user needs the required privileges
@ -224,7 +235,10 @@ class WebWizard extends Wizard implements SetupWizard
$db->connectToHost(); // Are we able to login on the server? $db->connectToHost(); // Are we able to login on the server?
// It is not possible to reliably determine whether a database exists or not if a user can't // It is not possible to reliably determine whether a database exists or not if a user can't
// log in to the database, so we just require the user to be able to create the database // log in to the database, so we just require the user to be able to create the database
$skip = $db->checkPrivileges($this->databaseSetupPrivileges, $this->databaseTables); $skip = $db->checkPrivileges(
array_merge($this->databaseCreationPrivileges, $this->databaseSetupPrivileges),
$this->databaseTables
);
} catch (PDOException $_) { } catch (PDOException $_) {
// We are NOT able to login on the server.. // We are NOT able to login on the server..
} }