At the moment, since save_active_sites needs to access the tiers database, and the postgres SSL certs are only readable by www-data, not edxapp, this command needs to run as the same user that gunicorn, celery, etc. run as.
The longer story here is that the psycopg2 driver enforces the restriction that the SSL private key file used to connect to the database cannot be group or world readable. That means that it has to be restricted to just one user: either edxapp or www-data. IMO, it should be www-data, but pretty much the entire rest of the edx codebase runs things like gunicorn, and celery workers as www-data. That's bad, but will be a large effort to fix. We only run into it on Tiers-related stuff because of our use of PostgreSQL. The mysql driver doesn't enforce the same restriction, so the MySQL certificate files can (and are) world readable so both edxapp and www-data can read them.
At the moment, since
save_active_sitesneeds to access the tiers database, and the postgres SSL certs are only readable bywww-data, notedxapp, this command needs to run as the same user that gunicorn, celery, etc. run as.The longer story here is that the
psycopg2driver enforces the restriction that the SSL private key file used to connect to the database cannot be group or world readable. That means that it has to be restricted to just one user: eitheredxapporwww-data. IMO, it should bewww-data, but pretty much the entire rest of the edx codebase runs things likegunicorn, and celery workers aswww-data. That's bad, but will be a large effort to fix. We only run into it on Tiers-related stuff because of our use of PostgreSQL. The mysql driver doesn't enforce the same restriction, so the MySQL certificate files can (and are) world readable so bothedxappandwww-datacan read them.