Wizard: Differentiate between privileges required to create and setup…

… a db

Fixes the bug that if a database and a login are already existing and only
the schema needs to be set up, which is possible using the resource's login,
the user is required to provide another login with the seemingly missing
privileges.

refs #8707

modules/setup/library/Setup/Utils/DbTool.php

@@ -721,7 +721,8 @@ public function checkPgsqlPrivileges(
             foreach (array_intersect($privileges, array_keys($this->pgsqlGrantContexts)) as $privilege) {
                 if (false === empty($context) && $this->pgsqlGrantContexts[$privilege] & static::TABLE_LEVEL) {
                     $tablePrivileges[] = $privilege;
-                } elseif ($this->pgsqlGrantContexts[$privilege] & static::DATABASE_LEVEL) {
+                }
+                if ($this->pgsqlGrantContexts[$privilege] & static::DATABASE_LEVEL) {
                     $dbPrivileges[] = $privilege;
                 }
             }
@@ -760,14 +761,14 @@ public function checkPgsqlPrivileges(
             // connected to the database defined in the resource configuration it is safe to just ignore them
             // as the chances are very high that the database is created later causing the current user being
             // the owner with ALL privileges. (Which in turn can be granted to others.)
-        }
 
-        if (array_search('CREATE', $privileges) !== false) {
-            $query = $this->query(
-                'select rolcreatedb from pg_roles where rolname = :user',
-                array(':user' => $username !== null ? $username : $this->config['username'])
-            );
-            $privilegesGranted &= $query->fetchColumn() !== false;
+            if (array_search('CREATE', $privileges) !== false) {
+                $query = $this->query(
+                    'select rolcreatedb from pg_roles where rolname = :user',
+                    array(':user' => $username !== null ? $username : $this->config['username'])
+                );
+                $privilegesGranted &= $query->fetchColumn() !== false;
+            }
         }
 
         if (array_search('CREATEROLE', $privileges) !== false) {

modules/setup/library/Setup/WebWizard.php

@@ -17,7 +17,7 @@
 use Icinga\Module\Setup\Forms\AuthBackendPage;
 use Icinga\Module\Setup\Forms\AdminAccountPage;
 use Icinga\Module\Setup\Forms\LdapDiscoveryPage;
-use Icinga\Module\Setup\Forms\LdapDiscoveryConfirmPage;
+//use Icinga\Module\Setup\Forms\LdapDiscoveryConfirmPage;
 use Icinga\Module\Setup\Forms\LdapResourcePage;
 use Icinga\Module\Setup\Forms\RequirementsPage;
 use Icinga\Module\Setup\Forms\GeneralConfigPage;
@@ -42,18 +42,27 @@
 class WebWizard extends Wizard implements SetupWizard
 {
     /**
-     * The privileges required by Icinga Web 2 to setup the database
+     * The privileges required by Icinga Web 2 to create the database and a login
      *
      * @var array
      */
-    protected $databaseSetupPrivileges = array(
+    protected $databaseCreationPrivileges = array(
         'CREATE',
-        'ALTER',
-        'REFERENCES',
         'CREATE USER', // MySQL
         'CREATEROLE' // PostgreSQL
     );
 
+    /**
+     * The privileges required by Icinga Web 2 to setup the database
+     *
+     * @var array
+     */
+    protected $databaseSetupPrivileges = array(
+        'CREATE',
+        'ALTER', // MySQL only
+        'REFERENCES'
+    );
+
     /**
      * The privileges required by Icinga Web 2 to operate the database
      *
@@ -148,7 +157,9 @@ public function setupPage(Form $page, Request $request)
                 $page->setResourceConfig($this->getPageData('setup_ldap_resource'));
             }
         } elseif ($page->getName() === 'setup_database_creation') {
-            $page->setDatabaseSetupPrivileges($this->databaseSetupPrivileges);
+            $page->setDatabaseSetupPrivileges(
+                array_merge($this->databaseCreationPrivileges, $this->databaseSetupPrivileges)
+            );
             $page->setDatabaseUsagePrivileges($this->databaseUsagePrivileges);
             $page->setResourceConfig($this->getPageData('setup_db_resource'));
         } elseif ($page->getName() === 'setup_summary') {
@@ -211,8 +222,8 @@ protected function getNewPage($requestedPage, Form $originPage)
                 try {
                     $db->connectToDb(); // Are we able to login on the database?
                     if (array_search(key($this->databaseTables), $db->listTables()) === false) {
-                        // In case the database schema does not yet exist the user
-                        // needs the privileges to create and setup the database
+                        // In case the database schema does not yet exist the
+                        // user needs the privileges to setup the database
                         $skip = $db->checkPrivileges($this->databaseSetupPrivileges, $this->databaseTables);
                     } else {
                         // In case the database schema exists the user needs the required privileges
@@ -224,7 +235,10 @@ protected function getNewPage($requestedPage, Form $originPage)
                         $db->connectToHost(); // Are we able to login on the server?
                         // It is not possible to reliably determine whether a database exists or not if a user can't
                         // log in to the database, so we just require the user to be able to create the database
-                        $skip = $db->checkPrivileges($this->databaseSetupPrivileges, $this->databaseTables);
+                        $skip = $db->checkPrivileges(
+                            array_merge($this->databaseCreationPrivileges, $this->databaseSetupPrivileges),
+                            $this->databaseTables
+                        );
                     } catch (PDOException $_) {
                         // We are NOT able to login on the server..
                     }