I have the following setup:
mta.yaml
ID: MY_APP
_schema-version: '2.0'
version: 1.0.0
modules:
- name: core_db
type: hdb
path: core/
requires:
- name: core
properties:
TARGET_CONTAINER: '~{core-container-name}'
parameters:
zdm-mode: true
no-route: true
- name: raports_db
type: hdb
path: raports/
requires:
- name: raports
properties:
TARGET_CONTAINER: '~{raports-container-name}'
- name: core
group: SERVICE_REPLACEMENTS
properties:
key: hdi-core-service
service: '~{core-container-name}'
resources:
- name: core
parameters:
config:
schema: ${default-container-name}
properties:
core-container-name: '${service-name}'
type: com.sap.xs.hdi-container
- name: raports
parameters:
config:
schema: ${default-container-name}
properties:
raports-container-name: '${service-name}'
type: com.sap.xs.hdi-container
There are two roles: "ATERP.roles::raport" and "ATERP.roles::raport#" in the core_db module, with schema_privileges that grant SELECT, and schema_privileges that grant SELECT with grant options, respectively.
raports/cfg/core.hdbgrants
{
"hdi-core-service": {
"object_owner": {
"container_roles":["ATERP.roles::raport#"]
},
"application_user": {
"container_roles":["ATERP.roles::raport"]
}
}
}
When I build those two modules in the SAP WebIDE, HDI containers are created, and everything is working like a charm... I can create synonyms from raports_db for objects in the core_db and do the usual stuff.
But, when I deploy it with xs bg-deploy command, it fails to deploy raports_db-blue with the following message:
OUT Target service: raports
OUT Processing grants files...
OUT Processing "cfg/core.hdbgrants"...
OUT Using service "hdi-core-service" of type "hdi"
OUT Granting schema roles in the container "TEST_TEST_CORE" and the parameters "[]"...
OUT Granting the schema role "ATERP.roles::raport#" to the principal "TEST_TEST_RAPORTS#OO" in the schema "" with grant option = "false"
OUT Error: Granting schema roles in the container "TEST_TEST_CORE" and the parameters "[]"... failed [8214221]
OUT Error: Database error 389: : invalid role name: ATERP.roles::raport#: line 1 col 7 (at pos 6) [8201003]
ERR Error: Error executing: CALL "TEST_TEST_CORE#DI".GRANT_CONTAINER_SCHEMA_ROLES(#CONTAINER_ROLES, #CONTAINER_ROLES_PARAMETERS, ?, ?, ?);
OUT (0s 637ms)
OUT
ERR (nested message: HDI call failed)
ERR grantor service: "hdi-core-service", type: "hdi", user: "TEST_TEST_CORE_64NMO3S50ZLGYRYV3N3ION1GM_DT" (hdi_user)
ERR file name: /hana/shared/HXE/xs/controller_data/executionagent/executionroot/9ffc7462-c1a4-4612-9e59-e26186700edf/app/cfg/core.hdbgrants
(...)
The(relevant) result set of "select * from sys.roles" query:
"ROLE_SCHEMA_NAME", "ROLE_NAME", "CREATOR"
"TEST_TEST_CORE", "zdm_access#", "TEST_TEST_CORE#OO"
"TEST_TEST_CORE_ACCESS_BLUE", "ATERP.roles::raport", "TEST_TEST_CORE_ACCESS_BLUE#OO"
"TEST_TEST_CORE_ACCESS_BLUE", "ATERP.roles::raport#", "TEST_TEST_CORE_ACCESS_BLUE#OO"
So, those two roles are actually in the access container, and now it's clear to me why the error message states that role name "ATERP.roles::raport#" from TEST_TEST_CORE is invalid. But how would a role from the access container be granted?
Regards,
Ebu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.