Re: LAS server configuration.

To: Mitchell Johnson <mitchelljohnson@xxxxxxxxx>, las_users <las_users@xxxxxxxxxxxxx>
Subject: Re: LAS server configuration.
From: Jonathan Callahan <callahan@xxxxxxxxxxxxx>
Date: Fri, 25 Oct 2002 14:29:33 -0700
References: <OFE35106C5.184A386E-ON88256C5D.00706BE9@r6.fs.fed.us>
Sender: owner-las_users@xxxxxxxxxxxxxxxxxxx
Mitchell,

I don't believe you'll have to set up the 'las' mysql user with all
privileges.  Here are the lines from $lasroot/las/configure.pl that
interact with the mysql database:

==============================================================
stout.pmel.noaa.gov webuser> grep "dbh->do" configure.pl
        $dbh->do;
    my $rows = $dbh->do(qq(select user,create_priv, drop_priv from user
where user = '$account' AND create_priv = 'Y' AND drop_priv='Y'));
my $rows = $dbh->do(qq(select * from user where user='las' and
Host='$host')) ||
    $dbh->do(qq(insert into user (Host, User, password, Select_priv,
Insert_priv, Update_priv, Delete_priv, Create_priv) VALUES ('$host',
'las', password('lasrules'), 'Y', 'Y', 'Y', 'Y', 'Y'))) || die "Can't
create LAS user account";
    $dbh->do(qq(flush privileges)) || die "Can't create LAS user
account";
==============================================================

I believe your problem comes from the $dbh->do(qq(flush ...)) line.

The mysql documentation states:

"You should use the FLUSH command if you want to clear some of the
internal caches MySQL uses. To execute FLUSH, you must have the RELOAD
privilege."

We should check for this in configure.pl!

But it should also be clear from these lines that there is a difference
between configuring LAS and running LAS.  When the LAS code is run as a
cgi process it will interact with the mysql database with exactly the
permissions listed in the second $dbh->do(qq(insert ...)) line:

Select_priv, Insert_priv, Update_priv, Delete_priv and Create_priv

It is ONLY during the initial configuration process that you need 
permissions to modify the 'user' table.  No extra mysql users are set up
with dangerous privileges.  Once you are done configuring, the
privileged user information (host,user,password) is gone.  It's not even
stored in config.results.

The bottom line is you don't need to worry about running configure as
root.  If you're concerned, just look the 'user' table after you're done
to see if the new user created has permissions within your comfort zone.


-- Jon



Mitchell Johnson wrote:
> 
> In fact, there is a mysql user las with the password I sent to it.  And
> here's its row in the users table (minus the password field):
> 
> +-----------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+
> | Host      | User | Password         | Select_priv | Insert_priv |
> Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv |
> Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv |
> Index_priv | Alter_priv |
> +-----------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+
> | localhost | las  | <hash goes here> | Y           | Y           | Y
> | Y           | Y           | Y         | N           | N             | N
> | N         | N          | N               | N          | N          |
> +-----------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+
> 
> Perhaps I should give the LAS user Alter_priv, but there's nothing in the
> configuration script that says I should do that; any ideas?  (I'm not
> entirely sure what alter_priv is, but if it is required to do updates and
> inserts, then it is probably pretty crucial.
> Furthermore, I can log in to mysql with the configurations I am sending to
> las (I don't want LAS to have root mysql access... there's no reason it
> should have to have that; I'd rather avoid giving it extra permissions.),
> and in fact, the script tells me immediately if I supply incorrect values:
> 
> I need to log in to the MySQL database. To do this, I have to connect to
> your MySQL server using a privileged MySQL account that allows me to create
> a new user account and/or edit the las database.
> Enter name of mysql host : [localhost]
> MySQL account name: [root] crazyuser
> Enter password: [] Error received when attempting to connect to database
> Error was: DBI->connect(mysql:localhost) failed: Access denied for user:
> 'crazyuser@localhost' (Using password: YES) at ./configure.pl line 707
> Enter name of mysql host : [localhost]
> 
> Is there a way I can run LAS as non-root?
> Thanks for your help,
> Mitchell.
> 
> 
>                     Jonathan
>                     Callahan              To:     Mitchell Johnson <mitchelljohnson@fs.fed.us>
>                     <callahan@pmel        cc:
>                     .noaa.gov>            Subject:     Re: LAS server configuration.
> 
>                     10/24/2002
>                     01:51 PM
> 
> 
> 
> Mitchell,
> 
> Sorry for the delay.  I don't work on Wednesdays.
> 
> The error messages say that the user named 'las' does not have
> permission to access databases on mySQL on your system.  I expect you
> should answer:
> 
> Enter name of mysql host : [localhost]
> MySQL account name: [root] ** JUST HIT RETURN HERE
> Enter password: []
> 
> rather than
> 
> Enter name of mysql host : [localhost]
> MySQL account name: [root] las
> Enter password: []
> 
> It is also possible that you need to supply a password or use the actual
> name of your computer instead of localhost.  You can test things by
> trying to run mysql with the HOST, USER and PASSWORD you are supplying
> to the LAS configuration script.  If everything works, your session
> should look something like this:
> 
> [mitchell@duet las]# mysql -u USER -p -h HOST
> Enter password: PASSWORD
> Welcome to the MySQL monitor.  Commands end with ; or \g.
> Your MySQL connection id is 515 to server version: 3.23.45
> 
> Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
> 
> mysql> quit
> Bye
> [mitchell@duet las]#
> 
> Let me know if you need any more help?
> 
> -- Jonathan Callahan
> 
> Mitchell Johnson wrote:
> >
> > Hi,
> >   This is Mitchell Johnson working for Sim Larkin at the Forest Service.
> >   I'm trying to install a newer verison of LAS (I'm assuming I just
> delete
> > the old tree in /usr/local/las when I'm done with it) than the one
> > installed, and the configuration dies at a certain point, for no reason
> > that I can tell.  Here's a transcript of the configuration dialog:
> >
> > [mitchell@duet las]# ./configure
> > Searching for perl...
> > Location of perl executable [/usr/bin/perl]:
> >
> > Starting Perl configuration script with /usr/bin/perl...
> > Searching for required Perl modules...
> >
> > Location of ferret executable: [/usr/local/ferret/bin/ferret]
> > Verifying Ferret version. This might take a few minutes...
> > You have a valid version of Ferret.
> >
> > Location of java executable: [/usr/local/bin/java]
> > Verifying Java version...
> > You have a valid version of Java.
> >
> > LAS uses the Tomcat Web server. This server needs to be configured
> > to "listen" on three TCP ports. You only need to change the defaults
> > for these ports if you are running more than one Tomcat server
> > Use the following Tomcat ports [8080, 8005, 8008]? [yes]
> > Tomcat set up to listen on ports 8080, 8005, 8008
> >
> > I need to log in to the MySQL database. To do this, I have to connect to
> > your MySQL server using a privileged MySQL account that allows me to
> create
> > a new user account and/or edit the las database.
> > Enter name of mysql host : [localhost]
> > MySQL account name: [root] las
> > Enter password: []
> >
> > Do you want to create or use a custom LAS directory?
> > This directory allows you to create custom user interface
> > and server extensions for LAS. Custom Ferret or Perl
> > scripts should be placed in this directory.
> > Use custom directory? [no] yes
> > Name of custom directory: [custom]
> > Custom directory server/custom already exists
> > Enter the full domain name of the Web Server (including port number if
> non
> > standard): [duet.cfr.washington.edu]
> >
> > If the Web server is running, I can make sure that it is a server
> > supported by LAS.
> > Is the server running? [yes]
> > Checking server...
> > Good. You are running an Apache server.
> >
> > You must now specify the path name the Web client will use
> > when accessing LAS. Unless you have more than one version of LAS
> > installed, the default of /las should be fine
> > Enter path name for LAS: [/las]
> >
> > You must now specify the path name the Web client will use
> > to access the LAS server. Unless you have more than one version of LAS
> > installed, the default of /las-bin should be fine
> > Enter path name for the LAS server: [/las-bin]
> > The full path to LAS is:
> > http://duet.cfr.washington.edu/las-bin/LASserver.pl
> >
> > You must now specify the path name the Web client will use
> > when accessing LAS server output. Unless you have more than one version
> of
> > LAS
> > installed, the default of /las-output should be fine
> > Enter path name for the LAS server output: [/las-output]
> > The full path to LAS output is:
> > http://duet.cfr.washington.edu/las-output/LASserver.pl
> >
> > Editing scripts...
> >
> > Now setting up the Ferret environment for the server...
> > I will use settings in your current Ferret environment. If you want to
> > change
> > them, edit 'server/Ferret_config.pl'.
> >
> > You have an existing XML file in server/las.xml
> > Do you want to set up the server to use this file? [yes]
> > Generating HTML...
> > Serializing file:/home/mitchell/current/las/server/las.xml to database
> > Building indexes...
> > DBD::mysql::db do failed: Access denied for user: 'las@localhost' to
> > database 'las2' at ../xml/perl/LASDB.pm line 389.
> > DBD::mysql::db do failed: Access denied for user: 'las@localhost' to
> > database 'las2' at ../xml/perl/LASDB.pm line 389.
> > [Wed Oct 23 13:59:32 2002] configure.pl: Error in generating HTML.
> >
> -------------------------------------------------------------------------------------------------------
> 
> > or alternatively, if I answer no to the last question:
> >
> -------------------------------------------------------------------------------------------------------
> 
> > Do you want to set up the server to use this file? [yes] no
> >
> > OK. If you have changed the XML file since last running configure, the
> > server might not work.
> >
> > cp: cannot stat `src/las.properties': No such file or directory
> > [Wed Oct 23 14:01:18 2002] configure.pl: Error in updating las.war with
> > las.properties at ./configure.pl line 1188, <STDIN> line 14.
> >
> ------------------------------------------------------------------------------------------------------
> 
> > Perhaps you can shed some light on the situation.
> >
> > Thank you very much,
> > Mitchell.
Previous by thread: LAS 6 - write access to "server" directory
Next by thread: Re: help with LAS 6.0 installation
[Thread Prev][Thread Next][Index]
Dept of Commerce / NOAA / OAR / PMEL / TMAP
Contact Us | Privacy Policy | Disclaimer | Accessibility Statement