Enabling enable_beta_gdpr with privilege separation fails

[nsoranzo]

I tried to make a small change to the setup explained in https://training.galaxyproject.org/training-material/topics/admin/tutorials/ansible-galaxy/tutorial.html , i.e. I've added enable_beta_gdpr: true to galaxy_config: > galaxy: in group_vars/galaxyservers.yml
The basic configuration in the tutorial setup is:

galaxy_separate_privileges: true
galaxy_manage_paths: true
galaxy_layout: root-dir
galaxy_root: /srv/galaxy

After the change, I see the following traceback in the Galaxy logs:

Jun 22 23:23:02 galaxy uwsgi[3402783]: DEBUG:galaxy.config:Configuration directory is /srv/galaxy/server/config
Jun 22 23:23:02 galaxy uwsgi[3402783]: DEBUG:galaxy.config:Data directory is /srv/galaxy/var
Jun 22 23:23:02 galaxy uwsgi[3402783]: DEBUG:galaxy.config:Managed config directory is /srv/galaxy/server/config
Jun 22 23:23:03 galaxy uwsgi[3402783]: DEBUG:galaxy.containers:config file '/srv/galaxy/server/config/containers_conf.yml' does not exist, running with default config
Jun 22 23:23:03 galaxy uwsgi[3402783]: Traceback (most recent call last):
Jun 22 23:23:03 galaxy uwsgi[3402783]: File "/usr/lib64/python3.6/logging/config.py", line 565, in configure
Jun 22 23:23:03 galaxy uwsgi[3402783]: handler = self.configure_handler(handlers[name])
Jun 22 23:23:03 galaxy uwsgi[3402783]: File "/usr/lib64/python3.6/logging/config.py", line 738, in configure_handler
Jun 22 23:23:03 galaxy uwsgi[3402783]: result = factory(**kwargs)
Jun 22 23:23:03 galaxy uwsgi[3402783]: File "/usr/lib64/python3.6/logging/handlers.py", line 150, in __init__
Jun 22 23:23:03 galaxy uwsgi[3402783]: BaseRotatingHandler.__init__(self, filename, mode, encoding, delay)
Jun 22 23:23:03 galaxy uwsgi[3402783]: File "/usr/lib64/python3.6/logging/handlers.py", line 57, in __init__
Jun 22 23:23:03 galaxy uwsgi[3402783]: logging.FileHandler.__init__(self, filename, mode, encoding, delay)
Jun 22 23:23:03 galaxy uwsgi[3402783]: File "/usr/lib64/python3.6/logging/__init__.py", line 1032, in __init__
Jun 22 23:23:03 galaxy uwsgi[3402783]: StreamHandler.__init__(self, self._open())
Jun 22 23:23:03 galaxy uwsgi[3402783]: File "/usr/lib64/python3.6/logging/__init__.py", line 1061, in _open
Jun 22 23:23:03 galaxy uwsgi[3402783]: return open(self.baseFilename, self.mode, encoding=self.encoding)
Jun 22 23:23:03 galaxy uwsgi[3402783]: PermissionError: [Errno 13] Permission denied: '/srv/galaxy/server/compliance.log'
Jun 22 23:23:03 galaxy uwsgi[3402783]: During handling of the above exception, another exception occurred:
Jun 22 23:23:03 galaxy uwsgi[3402783]: Traceback (most recent call last):
Jun 22 23:23:03 galaxy uwsgi[3402783]: File "/srv/galaxy/server/lib/galaxy/webapps/galaxy/buildapp.py", line 50, in app_factory
Jun 22 23:23:03 galaxy uwsgi[3402783]: app = galaxy.app.UniverseApplication(global_conf=global_conf, **kwargs)
Jun 22 23:23:03 galaxy uwsgi[3402783]: File "/srv/galaxy/server/lib/galaxy/app.py", line 83, in __init__
Jun 22 23:23:03 galaxy uwsgi[3402783]: config.configure_logging(self.config)
Jun 22 23:23:03 galaxy uwsgi[3402783]: File "/srv/galaxy/server/lib/galaxy/config/__init__.py", line 1077, in configure_logging
Jun 22 23:23:03 galaxy uwsgi[3402783]: logging.config.dictConfig(logging_conf)
Jun 22 23:23:03 galaxy uwsgi[3402783]: File "/usr/lib64/python3.6/logging/config.py", line 802, in dictConfig
Jun 22 23:23:03 galaxy uwsgi[3402783]: dictConfigClass(config).configure()
Jun 22 23:23:03 galaxy uwsgi[3402783]: File "/usr/lib64/python3.6/logging/config.py", line 573, in configure
Jun 22 23:23:03 galaxy uwsgi[3402783]: '%r: %s' % (name, e))
Jun 22 23:23:03 galaxy uwsgi[3402783]: ValueError: Unable to configure handler 'compliance_log': [Errno 13] Permission denied: '/srv/galaxy/server/compliance.log'
Jun 22 23:23:03 galaxy systemd[1]: galaxy.service: main process exited, code=exited, status=1/FAILURE

When started without privilege separation (e.g. via run.sh on a fresh git clone), compliance.log is created in the Galaxy root directory.

[hexylena]

yeah that makes sense :/