Fails to start without CREATEDB permissions

[Josua-SR]

Description

Steps to reproduce

1. Create Unprivileged database user
2. Create database for portus owned by said database user
3. Configure portus to use the created user and database
4. start portus

• Expected behavior: Portus happily uses its database

• Actual behavior: Portus drops then database, and tries to create it again. Which will fail because it hasn't been assigned CREATEDB permissions - which arguably are completely unnecessary for operation.

Log:

[WARN] table PublicActivity::ORM::ActiveRecord::Activity doesn't exist. Skipping PublicActivity::Activity#parameters's serialization
Initializing database
[WARN] table PublicActivity::ORM::ActiveRecord::Activity doesn't exist. Skipping PublicActivity::Activity#parameters's serialization
PG::InsufficientPrivilege: ERROR:  permission denied to create database
: CREATE DATABASE "portus" ENCODING = 'utf8'
Couldn't create 'portus' database. Please check your configuration.
rake aborted!
ActiveRecord::StatementInvalid: PG::InsufficientPrivilege: ERROR:  permission denied to create database
: CREATE DATABASE "portus" ENCODING = 'utf8'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/postgresql/database_statements.rb:75:in `async_exec'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/postgresql/database_statements.rb:75:in `block (2 levels) in execute'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.3/lib/active_support/dependencies/interlock.rb:48:in `block in permit_concurrent_loads'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.3/lib/active_support/concurrency/share_lock.rb:187:in `yield_shares'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.3/lib/active_support/dependencies/interlock.rb:47:in `permit_concurrent_loads'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/postgresql/database_statements.rb:74:in `block in execute'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/abstract_adapter.rb:581:in `block (2 levels) in log'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/abstract_adapter.rb:580:in `block in log'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.3/lib/active_support/notifications/instrumenter.rb:23:in `instrument'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/abstract_adapter.rb:571:in `log'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/postgresql/database_statements.rb:73:in `execute'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/postgresql/schema_statements.rb:46:in `create_database'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/tasks/postgresql_database_tasks.rb:21:in `create'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/tasks/database_tasks.rb:119:in `create'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/tasks/database_tasks.rb:139:in `block in create_current'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/tasks/database_tasks.rb:316:in `block in each_current_configuration'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/tasks/database_tasks.rb:313:in `each'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/tasks/database_tasks.rb:313:in `each_current_configuration'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/tasks/database_tasks.rb:138:in `create_current'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/railties/databases.rake:29:in `block (2 levels) in <top (required)>'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/rake-12.3.2/exe/rake:27:in `<top (required)>'

Caused by:
PG::InsufficientPrivilege: ERROR:  permission denied to create database
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/postgresql/database_statements.rb:75:in `async_exec'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/postgresql/database_statements.rb:75:in `block (2 levels) in execute'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.3/lib/active_support/dependencies/interlock.rb:48:in `block in permit_concurrent_loads'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.3/lib/active_support/concurrency/share_lock.rb:187:in `yield_shares'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.3/lib/active_support/dependencies/interlock.rb:47:in `permit_concurrent_loads'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/postgresql/database_statements.rb:74:in `block in execute'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/abstract_adapter.rb:581:in `block (2 levels) in log'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/abstract_adapter.rb:580:in `block in log'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.3/lib/active_support/notifications/instrumenter.rb:23:in `instrument'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/abstract_adapter.rb:571:in `log'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/postgresql/database_statements.rb:73:in `execute'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/postgresql/schema_statements.rb:46:in `create_database'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/tasks/postgresql_database_tasks.rb:21:in `create'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/tasks/database_tasks.rb:119:in `create'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/tasks/database_tasks.rb:139:in `block in create_current'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/tasks/database_tasks.rb:316:in `block in each_current_configuration'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/tasks/database_tasks.rb:313:in `each'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/tasks/database_tasks.rb:313:in `each_current_configuration'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/tasks/database_tasks.rb:138:in `create_current'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.3/lib/active_record/railties/databases.rake:29:in `block (2 levels) in <top (required)>'
/srv/Portus/vendor/bundle/ruby/2.6.0/gems/rake-12.3.2/exe/rake:27:in `<top (required)>'
Tasks: TOP => db:setup => db:schema:load_if_ruby => db:create
(See full trace by running task with --trace)
exit status 1

Deployment information

Deployment method:

Kubernetes - but writing the yaml manually based on the opensuse/portus container.

Configuration:

No special configuration, apart from choosing to use postgres.

Portus version: opensuse/portus:2.5

[Jean-Baptiste-Lasselle]

totally agree with @Josua-SR point of view on CREATEDB permissions being completely unnecessary for startup operation,if database already exists.

[stale[bot]]

Thanks for all your contributions! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[Josua-SR]

/unstale

[phrfpeixoto]

I'm having the exact same issue.

[Tontaube]

running into the same issue. Is there any documentation of how to set up the permissions on database side, if using a shared (between applications) database server and not wasting ressources (separate daemon in memory, backup and monitoring procedures) for another mysql/mariadb instance? expected behaviour:

• being able to create a database and a user according to an "advanced" section in portus docs which later can be specified in database.yml / env variables
• this user only requiring the permissions inside of the database
• if needed, the database bootstrap code if this permissions are not enough for the initial creation of the database (but I prefer the compromise of an higher privileged user, e.g. with create trigger permissions or similar, instead having troubles with each upgrade of portus). Thank you very much for your valuable work!

[stale[bot]]

Thanks for all your contributions! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.