Setting up atuin as a server

tessus · February 13, 2024, 7:51pm

First of all I want to say that atuin is a great project. My feedback is not meant to anger the devs, but rather describes my experience while setting up the atuin server.

I created a system user under which the atuin server is run.
The user does not have a home directory, since I created a systemd file with an EnvironmentFile set.

Starting the server failed with an error, because atuin was not able to write to the user’s home directory.

I find it great that atuin tries to create a template server.toml file with default settings explained. This has a nice touch and is something that is often missing in other projects. However, the fact that atuin abends was not expected. At least not from me. I gave atuin all the correct env vars to successfully start, yet it abends with an error.
If atuin has all the info to run, it should not error out. An info message is ok, or maybe even a warning message. Although I think ‘info’ is the right level.

I fixed that by also setting HOME to /etc/atuin (where my env file resides) in the systemd service. Then it could create the ~/.config/atuin/server.toml file.

I’m using Postgres 15 and since I spent almost 2 decades in the area of IBM DB2 (with 7 years in the DB2 Toronto Lab as an engine dev), I locked down the instance.

I created a database atuin and a user atuin. The user atuin has full admin privileges on the database.
However, I revoked all privileges on the schema public from the group public in the atuin db, because the user atuin has all privileges anyway. Additionally it is a security issue to allow anyone to do anything they want in the public schema.

\c atuin
REVOKE ALL PRIVILEGES ON SCHEMA public FROM PUBLIC;

Unfortunately atuin abends again with:

Error: failed to connect to db: PostgresSettings { db_uri: "postgres://atuin:passwordhere@127.0.0.1/atuin" }

Caused by:
    Other(while executing migrations: error returned from database: no schema has been selected to create in

    Caused by:
       0: error returned from database: no schema has been selected to create in
       1: no schema has been selected to create in

    Location:
        /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/core/src/convert/mod.rs:757:9)

Location:
    /home/build/.cargo/registry/src/index.crates.io-6f17d22bba15001f/atuin-server-18.0.1/src/lib.rs:141:10

The error message is a bit misleading, because connecting to the database works just fine.

I am actually quite puzzled by the “real” error message. The user atuin has all privileges on the database, even for the schema PUBLIC. But I had to grant the group public all privileges to the schema public. What?

I seriously don’t understand the world anymore.

I hope I was not too harsh with my feedback.

ellie · February 17, 2024, 7:23pm

Thank you! Appreciate the feedback

Does the atuin user have usage granted on any schemas in the database?

The SQL you ran revoked the default usage, so if you haven’t explicitly granted anything, the user has access to no schema.

Hence this error

Caused by:
    Other(while executing migrations: error returned from database: no schema has been selected to create in

You can read more here: postgresql - ERROR: no schema has been selected to create in - Database Administrators Stack Exchange

tessus · February 17, 2024, 7:30pm

Thanks for the reply. I have granted atuin all privileges on the database:

CREATE DATABASE atuin;

CREATE USER atuin WITH ENCRYPTED PASSWORD 'mypassword';
GRANT ALL ON DATABASE atuin TO atuin;
GRANT all privileges ON database atuin TO atuin;

ellie · February 17, 2024, 7:33pm

You have granted the user access to the database, but you have not granted them access to any schema. Hence this error. The two are pretty separate.

Maybe this helps

tessus · February 17, 2024, 7:56pm

Ok, this is weird. I come from IBM DB2 and a db admin has full access on the database. If a user connects to a database and has full access on the db and creates a table without an explicit schema, the table will be created in the user’s schema (which does not have to be explicitly created). I thought that my 2 commands gave the user db admin access. Apparently not.

Well, the user atuin can create a schema, but it wants to use public. So apparently I have to do this:

CREATE USER atuin WITH ENCRYPTED PASSWORD 'mypassword';
GRANT ALL ON DATABASE atuin TO atuin;
GRANT all privileges ON database atuin TO atuin;
REVOKE ALL PRIVILEGES ON SCHEMA public FROM PUBLIC;
GRANT ALL ON SCHEMA public to atuin;

Very weird indeed.

tessus · February 17, 2024, 9:50pm

Ok, I finally found out what trippped me up. The database has to be created with atuin as the owner or altered to have atuin as the owner. GRANT ALL ON database does not make atuin the admin/owner of the database. Now it makes finally sense to me.