Skip to Content
0
Jan 19, 2023 at 05:54 AM

Deployment of .hdbgrant fails : invalid role name

309 Views

Hi community.

I am trying to use virtual tables created in a classc schema in a CAP project.

To acheive this, I have set up the following objects.

image.png

1. Roles to access the virtual tables

create role VTROLE;
grant select on schema "JDBCUSER" to VTROLE;

create role VTROLE_G;
grant select on schema "JDBCUSER" to VTROLE with grant option;<br>

2. A user who is granted above roles with admin option

create user VTUSER password "password" set usergroup default;
alter user VTUSER disable password lifetime;

grant VTROLE to VTUSER with admin option;
grant VTROLE_G to VTUSER with admin option;<br>

3. A user provided service to access the virtual tables

cf cups demo-inventory-ups -p "{\"user\":\"VTUSER\",\"password\":\"password\",\"tags\":[\"hana\"] , \"schema\" : \"JDBCUSER\" }"<br>

4. .hdbgrants

{
    "cross-schema-ups": {
        "object_owner": {
            "global_roles": [
                {
                    "roles": [ "VTROLE_G" ]
                }
            ]
        },
        "application_user": {
            "global_roles": [
                {
                    "roles": [ "VTROLE" ]
                }
            ]
        }
    }
}<br>

* also tried below

{
	"cross-schema-ups": {
		"object_owner": {
			"roles": ["VTROLE_G"]
		},
		"application_user": {
			"roles": ["VTROLE"]
		}
	}
}<br>

5. mta.yaml

mtayaml.txt

When I execute "cf deploy", I came across the following error.

Execution of task "deploy" on application "demo-inventory-db-deployer" failed.

In the detailed log, there were the following errors.

#2.0#2023 01 19 04:09:33.432#Z#DEBUG#com.sap.cloud.lm.sl.xs2.f2dd3430-97ae-11ed-b3ff-eeee0a98ecf0.demo-inventory-db-deployer.stageAppTask#
######org.cloudfoundry.multiapps.controller.persistence.services.ProcessLogger########flowable-async-job-executor-thread-24294###
[PollStageAppStatusExecution] [demo-inventory-db-deployer] 34ddcbe7-ba80-4ac5-99ef-fd8f35c9bc59 [Thu Jan 19 03:56:59 UTC 2023] (nested message: invalid role name: VTROLE_G: line 1 col 7 (at pos 6)) (STDERR, APP/TASK/deploy)#

#2.0#2023 01 19 04:09:33.432#Z#DEBUG#com.sap.cloud.lm.sl.xs2.f2dd3430-97ae-11ed-b3ff-eeee0a98ecf0.demo-inventory-db-deployer.stageAppTask#
######org.cloudfoundry.multiapps.controller.persistence.services.ProcessLogger########flowable-async-job-executor-thread-24294###
[PollStageAppStatusExecution] [demo-inventory-db-deployer] 34ddcbe7-ba80-4ac5-99ef-fd8f35c9bc59 [Thu Jan 19 03:56:59 UTC 2023] Error: Error executing: GRANT "JDBCUSER"."VTROLE_G" TO "0DF41154432140A6A45C380671E40976#OO"; (STDERR, APP/TASK/deploy)#<br>

The second message indicates that the deployer was trying to grant "JDBCUSER"."VTROLE_G" to the object owner but there was no such role. The roles are global and schema name is not attached.

roles.png

Could someone please point out the step I may have done incorrectly or if any steps are missng?

Best regards,

Mio

Attachments

image.png (12.0 kB)
mtayaml.txt (1.5 kB)
roles.png (14.4 kB)