Bug 1043036

Summary: FreeRADIUS postgresql setup fails to grant permission for primary key serial object
Product: [Fedora] Fedora Reporter: John Dennis <jdennis>
Component: freeradiusAssignee: John Dennis <jdennis>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: jdennis, lemenkov
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeradius-3.0.1-2.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1043037 (view as bug list) Environment:
Last Closed: 2014-01-15 00:26:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1043037    
Attachments:
Description Flags
Add grants to update primary key none

Description John Dennis 2013-12-13 19:51:56 UTC 
The setup.sql for postgres in 3.x

raddb/mods-config/sql/main/postgresql/setup.sql

does not grant sufficient permissions to update tables. I'm not a
postgres expert but apparently when you use a SERIAL or BIGSERIAL type
to create a unique key postgres does that by creating something called a
sequence object. After creating the schema you'll see things like this:

> psql:schema.sql:180: NOTICE:  CREATE TABLE will create implicit sequence "radpostauth_id_seq" for serial column "radpostauth.id"

Those sequence object need permission grants on them in addition to the
table grants. Currently postgresql/setup.sql does not establish these
sequence grants, as a result you'll see errors like this:

> rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('paptestuser', 'mypassword', 'Access-Accept', NOW())'
> rlm_sql_postgresql: Status: PGRES_FATAL_ERROR
> rlm_sql_postgresql: Error permission denied for sequence radpostauth_id_seq
> rlm_sql_postgresql: Postgresql Fatal Error: [42501: INSUFFICIENT PRIVILEGE] Occurred!!
> rlm_sql (sql): Database query error: ERROR:  permission denied for sequence radpostauth_id_seq 

The solution is to add these grants to postgresql/setup.sql

GRANT SELECT, USAGE on radacct_radacctid_seq TO radius;
GRANT SELECT, USAGE on radpostauth_id_seq TO radius;
Comment 1 John Dennis 2013-12-13 19:53:18 UTC 
Created attachment 836484 [details]
Add grants to update primary key
Comment 2 Fedora Update System 2014-01-15 00:32:19 UTC 
freeradius-3.0.1-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/freeradius-3.0.1-1.fc20
Comment 3 Fedora Update System 2014-01-23 17:22:15 UTC 
freeradius-3.0.1-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/freeradius-3.0.1-2.fc20
Comment 4 Fedora Update System 2014-01-28 04:36:36 UTC 
freeradius-3.0.1-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.