Function Set-SDKServicePermissions { param( [string]$dbmsUser, [string]$microUser, [string]$databaseName, [string]$databaseSource ) $logLead = Get-LogLeadName ## We'll use the database permitter to grant access to any dbms services $pathToPermitter = "C:\ProgramData\chocolatey\lib\Alkami.MicroServices.Choco.Installer.Database\tools\Alkami.Database.Permitter.exe" # We just want to make sure everything is off before we try to do this Stop-SDKServices $chocoRootPath = Get-ChocolateyInstallPath $chocoLibPath = Join-Path -Path $chocoRootPath -ChildPath 'lib' $serviceNames = (Get-AlkamiServices).Name foreach ($serviceName in $serviceNames) { Write-Debug "Baking $serviceName..."; $chocoPackagePath = Join-Path -Path $chocoLibPath -ChildPath $serviceName if (-not (Test-Path -Path $chocoPackagePath)) { Write-Warning "$logLead : Could not find the chocolatey package at [$chocoPackagePath], continuing to next package" continue } ## Own the service, this allows us to make changes to it Write-Debug "Owning service..."; Invoke-SCExe @('config',$serviceName,'type=','own') $manifest = $null try { $manifest = Get-PackageManifest -Path $chocoPackagePath } catch {} if ($null -ne $manifest) { # found a manifest if ($null -ne $manifest.ServiceManifest) { # found a service manifest # Assume that the service does not need to use the dbms user $message = "Serice does not require access to the database" $accountName = $microUser if (Test-ServiceManifestRequiresDbAccess -ServiceManifest $manifest.ServiceManifest) { # Service needs to use the dbms user $message = "Service requires access to the database" $accountName = $dbmsUser } Write-Host "$logLead : $message. Configuring to use [$accountName] for [$serviceName]" Invoke-SCExe @('config', $serviceName, 'obj=', $accountName) # Skipping the legacy applier because that should have been done on a successful install. Another function should reapply migrations as required } else { Write-Warning "$logLead : Manifest found is not a service manifest at [$chocoPackagePath]" } continue } # else fallback to the legacy path ## Service relative pathing for the various tasks we'll be doing $toolsPath = "c:\programdata\chocolatey\lib\$serviceName\tools"; $configPath = "c:\programdata\chocolatey\lib\$serviceName\tools\$serviceName.exe.config"; $dbConfigPath = (Join-Path -Path $toolsPath -ChildPath "DatabaseConfig.ps1"); if(Test-Path -Path $configPath) { # TODO: This is now handled by the migration runner ## test if dbms service if(Test-Path -Path $dbConfigPath) { Write-Debug "DatabaseConfig.ps1 detected: $dbConfigPath"; ## Each service has a DatabaseConfig.ps1 that defines the database role for the service and the migrations library ## We'll use the $schemaGroupRole defined here as the role to add to the database . $dbConfigPath ## Change the service to run as the dbms user Write-Debug "Setting service user name...$dbmsUser" Invoke-SCExe @('config',$serviceName,'obj=',$dbmsUser) ## Run the permitter in the migrations folder to create and assign roles to the already existing dbms user Write-Debug "Permitting user for db roles..." $connectionString = "data source=$databaseSource;Integrated Security=SSPI; Database=$databaseName"; & $pathToPermitter $connectionString $dbmsUser $schemaGroupRole; } else { Write-Debug "Logical service detected: $configPath"; ## Update the microservices to run as our micro user. Write-Debug "Setting service user name...$microUser" Invoke-SCExe @('config',$serviceName,'obj=',$microUser) } } else { Write-Debug "Unable to verify configuration file for $serviceName. Skipping." } } # TODO: Verify this user is a valid user to be set # And Radium... $radiumuser = "CORP\dev.radium$" $radiumServiceName = "Alkami Radium Scheduler Service"; Invoke-SCExe @('config',$radiumServiceName,'obj=',$radiumuser) Write-Debug "Done baking."; }