[ckan-dev] datastore: permission denied Schema public

Dominik Moritz dominik.moritz at okfn.org
Thu Mar 28 11:29:55 UTC 2013 

Hi,

We are currently working on a different approach to the permissions check which should solve all problems. Can you wait for the merge of https://github.com/okfn/ckan/pull/642? It will probably be ready some time next week. 

I assume that the table is not created because some checks do not return the expected results. 

Cheers,
Dominik

On 28 Mar 2013, at 12:06, User66 <user66 at arcor.de> wrote:

> Hi again,
> 
> I have seen some commits according these permission problems and replaced the two files regarding pull request #642, see https://github.com/okfn/ckan/commit/302a9ff87780ce6653f16fd77bf25496b586a9e2
> 
> Well, the permission problem seems now to be solved, I don't get internal server errors or exceptions any more.
> 
> But the alias table "_table_metadata" is not created. All the API checks using curl fail.
> 
> Cheers
> Ralf
> 
> ----------------ursprüngliche Nachricht-----------------
> Von: "User66" user66 at arcor.de 
> An: "CKAN Development Discussions" ckan-dev at lists.okfn.org 
> Datum: Wed, 27 Mar 2013 09:46:12 +0100
> -------------------------------------------------
> 
> 
>> Hi,
>> 
>> unfortunately the error has not gone. It now complains that the readonlyuser has 
>> write permissions.
>> 
>> What I did:
>> - Switched postgresql locale to "en_US.UTF-8"
>> - Re-Initialized the complete postgresql databases
>> - Installed CKAN databases "ckandb" and "datastore"
>> - Did a "git pull" to update to latest master branch
>> - Set permissions regarding "Option 1: Paster command" - all commands succeed
>> 
>> I am using both DBs on the same server and "ckanuser" as write user for both.
>> 
>> The users in set_permissions.sql are:
>> #######################
>> -- name of the main CKAN database
>> \set maindb 'ckandb'
>> -- the name of the datastore database
>> \set datastoredb 'datastore'
>> -- username of the ckan postgres user
>> \set ckanuser "ckanuser"
>> -- username of the datastore user that can write
>> \set wuser "ckanuser"
>> -- username of the datastore user who has only read permissions
>> \set rouser "readonlyuser"
>> #######################
>> 
>> The error is:
>> #######################
>> (pyenv)ckan at www :~/pyenv/src/ckan> paster --plugin=ckan db init
>> 2013-03-27 09:12:25,893 INFO [ckanext.datastore.plugin] Connection url 
>> postgresql://readonlyuser:xxx@localhost /datastore
>> Traceback (most recent call last):
>> File "/opt/ckan/pyenv/bin/paster", line 8, in <module>
>> load_entry_point('PasteScript==1.7.5', 'console_scripts', 'paster')()
>> File 
>> "/opt/ckan/pyenv/lib/python2.7/site-packages/paste/script/command.py
>> ", 
>> line 104, in run
>> invoke(command, command_name, options, args[1:])
>> File 
>> "/opt/ckan/pyenv/lib/python2.7/site-packages/paste/script/command.py
>> ", 
>> line 143, in invoke
>> exit_code = runner.run(args)
>> File 
>> "/opt/ckan/pyenv/lib/python2.7/site-packages/paste/script/command.py
>> ", 
>> line 238, in run
>> result = self.command()
>> File "/opt/ckan/pyenv/src/ckan/ckan/lib/cli.py", line 124, in command
>> self._load_config()
>> File "/opt/ckan/pyenv/src/ckan/ckan/lib/cli.py", line 86, in _load_config
>> load_environment(conf.global_conf, conf.local_conf)
>> File "/opt/ckan/pyenv/src/ckan/ckan/config/environment.py", line 349, in 
>> load_environment
>> plugin.configure(config)
>> File "/opt/ckan/pyenv/src/ckan/ckanext/datastore/plugin.py", line 66, in 
>> configure
>> self._check_read_permissions()
>> File "/opt/ckan/pyenv/src/ckan/ckanext/datastore/plugin.py", line 175, 
>> in _check_read_permissions
>> raise Exception("We have write permissions on the read-only database.")
>> Exception: We have write permissions on the read-only database.
>> #######################
>> 
>> Output from "psql -l":
>> #######################
>> postgres at www :~> psql -l
>> List of databases
>> Name | Owner | Encoding | Collate | Ctype | Access privileges 
>> 
>> -----------+----------+----------+-------------+-------------+------
>> -------------------
>> ckandb | ckanuser | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =Tc/ckanuser +
>> | | | | | ckanuser=CTc/ckanuser
>> datastore | ckanuser | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =Tc/ckanuser +
>> | | | | | ckanuser=CTc/ckanuser +
>> | | | | | readonlyuser=c/ckanuser
>> postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | 
>> template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
>> | | | | | postgres=CTc/postgres
>> template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
>> | | | | | postgres=CTc/postgres
>> (5 rows)
>> #######################
>> 
>> It seems that the readonlyuser really still has write permissions, because I am 
>> also able to execute the "create table" command within a psql shell.
>> I am not really familiar with postgresql, but could it be that basic permission 
>> settings have changed in postgresql 9.2.3?
>> 
>> Any other hints?
>> 
>> Cheers
>> Ralf
>> 
>> 
>> ----------------ursprüngliche Nachricht-----------------
>> Von: "User66" user66 at arcor.de 
>> An: ckan-dev at lists.okfn.org 
>> Datum: Tue, 26 Mar 2013 15:13:16 +0100
>> -------------------------------------------------
>> 
>> 
>>> Hi Dominik,
>>> 
>>> thanks for the tip.
>>> 
>>> After looking into the code your explanation sounds reasonable. I will
>>> switch the postgresql language to English. If you don't hear from me
>>> again, this issue is fixed (I can test it not before this evening).
>>> 
>>> Cheers
>>> Ralf
>>> 
>>> 
>>> Am 26.03.2013 11:06, schrieb Dominik Moritz:
>>>> Hallo Ralf,
>>>> 
>>>> We expect a permission error because there should be a connection that is 
>>>> not
>>>> allowed to write. However, the check only works if the error message is in
>>>> english, otherwise an exception is raised. 
>>>> 
>>>> There is an issue and a pull request at 
>>>> https://github.com/okfn/ckan/pull/642.
>>>> 
>>>> Until this fix is in the release branch, you could set the language of your
>>>> postgres installation to english. 
>>>> 
>>>> Best wishes,
>>>> Dominik
>> 
>> 
>> 
>> _______________________________________________
>> ckan-dev mailing list
>> ckan-dev at lists.okfn.org 
>> http://lists.okfn.org/mailman/listinfo/ckan-dev
>> Unsubscribe: http://lists.okfn.org/mailman/options/ckan-dev
>> 
> 
> 
> 
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: http://lists.okfn.org/mailman/options/ckan-dev

More information about the ckan-dev mailing list