Skip to Content

Grant role from the HDI container, deployed using ZDM, to another container in the same project

I have the following setup:

mta.yaml

ID: MY_APP
_schema-version: '2.0'
version: 1.0.0

modules:
  - name: core_db
    type: hdb
    path: core/
    requires:
      - name: core
        properties:
          TARGET_CONTAINER: '~{core-container-name}'
    parameters:
      zdm-mode: true
      no-route: true

  - name: raports_db
    type: hdb
    path: raports/
    requires:
      - name: raports
        properties:
          TARGET_CONTAINER: '~{raports-container-name}'
      - name: core
        group: SERVICE_REPLACEMENTS
        properties:
          key: hdi-core-service
          service: '~{core-container-name}'

resources:
  - name: core
    parameters:
      config:
        schema: ${default-container-name}
    properties:
      core-container-name: '${service-name}'
    type: com.sap.xs.hdi-container

  - name: raports
    parameters:
      config:
        schema: ${default-container-name}
    properties:
      raports-container-name: '${service-name}'
    type: com.sap.xs.hdi-container

There are two roles: "ATERP.roles::raport" and "ATERP.roles::raport#" in the core_db module, with schema_privileges that grant SELECT, and schema_privileges that grant SELECT with grant options, respectively.

raports/cfg/core.hdbgrants

{
   "hdi-core-service": {
     "object_owner": {
       "container_roles":["ATERP.roles::raport#"]
     },
     "application_user": {
       "container_roles":["ATERP.roles::raport"]
     }
   } 
}

When I build those two modules in the SAP WebIDE, HDI containers are created, and everything is working like a charm... I can create synonyms from raports_db for objects in the core_db and do the usual stuff.

But, when I deploy it with xs bg-deploy command, it fails to deploy raports_db-blue with the following message:

OUT Target service: raports
OUT Processing grants files...
OUT  Processing "cfg/core.hdbgrants"...
OUT   Using service "hdi-core-service" of type "hdi"
OUT  Granting schema roles in the container "TEST_TEST_CORE" and the parameters "[]"...
OUT   Granting the schema role "ATERP.roles::raport#" to the principal "TEST_TEST_RAPORTS#OO" in the schema "" with grant option = "false"
OUT  Error: Granting schema roles in the container "TEST_TEST_CORE" and the parameters "[]"... failed [8214221]
OUT  Error: Database error 389: : invalid role name: ATERP.roles::raport#: line 1 col 7 (at pos 6) [8201003]
ERR Error: Error executing: CALL "TEST_TEST_CORE#DI".GRANT_CONTAINER_SCHEMA_ROLES(#CONTAINER_ROLES, #CONTAINER_ROLES_PARAMETERS, ?, ?, ?);
OUT (0s 637ms)
OUT 
ERR  (nested message: HDI call failed)
ERR grantor service: "hdi-core-service", type: "hdi", user: "TEST_TEST_CORE_64NMO3S50ZLGYRYV3N3ION1GM_DT" (hdi_user)
ERR file name: /hana/shared/HXE/xs/controller_data/executionagent/executionroot/9ffc7462-c1a4-4612-9e59-e26186700edf/app/cfg/core.hdbgrants
(...)

The(relevant) result set of "select * from sys.roles" query:

"ROLE_SCHEMA_NAME", "ROLE_NAME", "CREATOR"
"TEST_TEST_CORE", "zdm_access#", "TEST_TEST_CORE#OO"
"TEST_TEST_CORE_ACCESS_BLUE", "ATERP.roles::raport", "TEST_TEST_CORE_ACCESS_BLUE#OO"
"TEST_TEST_CORE_ACCESS_BLUE", "ATERP.roles::raport#", "TEST_TEST_CORE_ACCESS_BLUE#OO"

So, those two roles are actually in the access container, and now it's clear to me why the error message states that role name "ATERP.roles::raport#" from TEST_TEST_CORE is invalid. But how would a role from the access container be granted?

Regards,
Ebu

Add a comment
10|10000 characters needed characters exceeded

Related questions

0 Answers

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.