[ckan-dev] Unable to set permission to DataStore

Natalia Queiroz queiroz.nati at gmail.com
Mon Jan 18 18:12:24 UTC 2016 

Hello group,

I got it using the command

(default)root at localhost:/etc/ckan/default# paster --plugin=ckan datastore
set-permissions -c /etc/ckan/default/production.ini
2016-01-18 15:41:33,818 WARNI [ckanext.datastore.plugin] Omitting
permission checks because you are running paster commands.
/*
This script configures the permissions for the datastore.

It ensures that the datastore read-only user will only be able to select
from
the datastore database but has no create/write/edit permission or any
permissions on other databases. You must execute this script as a database
superuser on the PostgreSQL server that hosts your datastore database.

For example, if PostgreSQL is running locally and the "postgres" user has
the
appropriate permissions (as in the default Ubuntu PostgreSQL install), you
can
run:

    paster datastore set-permissions | sudo -u postgres psql

Or, if your PostgreSQL server is remote, you can pipe the permissions script
over SSH:

    paster datastore set-permissions | ssh dbserver sudo -u postgres psql

*/

-- Most of the following commands apply to an explicit database or to the
whole
-- 'public' schema, and could be executed anywhere. But ALTER DEFAULT
-- PERMISSIONS applies to the current database, and so we must be connected
to
-- the datastore DB:
\connect datastore_default

-- revoke permissions for the read-only user
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE USAGE ON SCHEMA public FROM PUBLIC;

GRANT CREATE ON SCHEMA public TO "ckan_default";
GRANT USAGE ON SCHEMA public TO "ckan_default";

GRANT CREATE ON SCHEMA public TO "ckan_default";
GRANT USAGE ON SCHEMA public TO "ckan_default";

-- take connect permissions from main db
REVOKE CONNECT ON DATABASE "ckan_default" FROM "datastore_default";

-- grant select permissions for read-only user
GRANT CONNECT ON DATABASE "datastore_default" TO "datastore_default";
GRANT USAGE ON SCHEMA public TO "datastore_default";

-- grant access to current tables and views to read-only user
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "datastore_default";

-- grant access to new tables and views by default
ALTER DEFAULT PRIVILEGES FOR USER "ckan_default" IN SCHEMA public
   GRANT SELECT ON TABLES TO "datastore_default";


After restart Ckan, I tested the set-up using curl command

(default)root at localhost:/etc/ckan/default# curl -X GET "
http://ckan.jbrj.gov.br/api/3/action/datastore_search?resource_id=_table_metadata
"
{"help": "
http://ckan.jbrj.gov.br/api/3/action/help_show?name=datastore_search",
"success": true, "result": {"resource_id": "_table_metadata", "fields":
[{"type": "text", "id": "_id"}, {"type": "name", "id": "name"}, {"type":
"oid", "id": "oid"}, {"type": "name", "id": "alias_of"}], "records":
[{"_id": "1fab8662e5772995", "alias_of": "pg_views", "name":
"_table_metadata", "oid": 84889}, {"_id": "21b5fe766665b205", "alias_of":
"pg_tables", "name": "_table_metadata", "oid": 84889}], "_links": {"start":
"/api/3/action/datastore_search?resource_id=_table_metadata", "next":
"/api/3/action/datastore_search?offset=100&resource_id=_table_metadata"},
"total": 2}}


The issue now is that I receiving thos error when I access a resource
information

[Mon Jan 18 15:48:33 2016] [error] [client IP] Error - <class
'sqlalchemy.exc.ProgrammingError'>: (ProgrammingError) ERRO:
permiss\xc3\xa3o negada para rela\xc3\xa7\xc
3\xa3o _table_metadata

Any idea?


On Mon, Jan 18, 2016 at 11:21 AM, Natalia Queiroz <queiroz.nati at gmail.com>
wrote:

> Hello Harold, I'm using ckan version 2.4
>
> On Fri, Jan 15, 2016 at 11:56 AM, Harald von Waldow <
> harald.vonwaldow at eawag.ch> wrote:
>
>> Or Natalia looked at the wrong docu-version. Natalia, which version of
>> CKAN are you running?
>>
>> On 15.01.2016 13:32, David Read wrote:
>> > Harald,
>> > I can see no error in the documentation here. I think Natalia just
>> misread it.
>> >
>> http://docs.ckan.org/en/latest/maintaining/datastore.html#set-permissions
>> > David
>> >
>> > On 14 January 2016 at 22:22, Harald von Waldow
>> > <harald.vonwaldow at eawag.ch> wrote:
>> >> I guess there is an error in the documentation. Try this:
>> >>
>> >> paster --plugin=ckan datastore set-permissions
>> >> -c /etc/ckan/default/production.ini| sudo -u postgres psql
>> >>
>> >> I guess it is also not such a good idea to run everything as root ...
>> >>
>> >> Cheers,
>> >> Harald
>> >>
>> >> On 14.01.2016 22:01, Natalia Queiroz wrote:
>> >>> Hello Harold,
>> >>>
>> >>> I removed the pdf_view, now I got this ...
>> >>>
>> >>> (default)root at localhost:/home/nataliaoliveira# paster --plugin=ckan
>> >>> datastore set-permissions postgres -c /etc/ckan/default/production.ini
>> >>> 2016-01-14 18:56:53,648 WARNI [ckanext.datastore.plugin] Omitting
>> >>> permission checks because you are running paster commands.
>> >>> usage: paster datastore [-h] {set-permissions} ...
>> >>> paster datastore: error: unrecognized arguments: postgres
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> On Thu, Jan 14, 2016 at 5:41 PM, Harald von Waldow
>> >>> <harald.vonwaldow at eawag.ch <mailto:harald.vonwaldow at eawag.ch>> wrote:
>> >>>
>> >>>     Remove pdf_view from ckan.plugins in your production.ini or,
>> >>>     alternatively, install ckanext-pdfview
>> >>>     (https://github.com/ckan/ckanext-pdfview).
>> >>>
>> >>>     Cheers,
>> >>>     Harald
>> >>>
>> >>>     On 14.01.2016 20:09, Natalia Queiroz wrote:
>> >>>     > Hello group,
>> >>>     >
>> >>>     > I'm following the ckan documentation to install DataStore on my
>> >>>     environment.
>> >>>     >
>> >>>     >
>> >>>
>> http://docs.ckan.org/en/ckan-2.4.1/maintaining/datastore.html#datapusher-automatically-add-data-to-the-datastore
>> >>>     >
>> >>>     > In the topic Set permissions, this is the error from the command
>> >>>     >
>> >>>     > root at localhost:/etc/ckan/default# .
>> /usr/lib/ckan/default/bin/activate
>> >>>     > (default)root at localhost:/etc/ckan/default# cd
>> >>>     /usr/lib/ckan/default/src/ckan
>> >>>     > (default)root at localhost:/usr/lib/ckan/default/src/ckan# paster
>> >>>     > --plugin=ckan datastore set-permissions postgres -c
>> >>>     > /etc/ckan/default/production.ini
>> >>>     > Traceback (most recent call last):
>> >>>     >   File "/usr/lib/ckan/default/bin/paster", line 9, in <module>
>> >>>     >     load_entry_point('PasteScript==1.7.5', 'console_scripts',
>> >>>     'paster')()
>> >>>     >   File
>> >>>     >
>> >>>
>>  "/usr/lib/ckan/default/local/lib/python2.7/site-packages/paste/script/command.py",
>> >>>     > line 104, in run
>> >>>     >     invoke(command, command_name, options, args[1:])
>> >>>     >   File
>> >>>     >
>> >>>
>>  "/usr/lib/ckan/default/local/lib/python2.7/site-packages/paste/script/command.py",
>> >>>     > line 143, in invoke
>> >>>     >     exit_code = runner.run(args)
>> >>>     >   File
>> >>>     >
>> >>>
>>  "/usr/lib/ckan/default/local/lib/python2.7/site-packages/paste/script/command.py",
>> >>>     > line 238, in run
>> >>>     >     result = self.command()
>> >>>     >   File
>> "/usr/lib/ckan/default/src/ckan/ckanext/datastore/commands.py",
>> >>>     > line 70, in command
>> >>>     >     self._load_config()
>> >>>     >   File "/usr/lib/ckan/default/src/ckan/ckan/lib/cli.py", line
>> 147, in
>> >>>     > _load_config
>> >>>     >     load_environment(conf.global_conf, conf.local_conf)
>> >>>     >   File
>> >>>     "/usr/lib/ckan/default/src/ckan/ckan/config/environment.py", line
>> >>>     > 232, in load_environment
>> >>>     >     p.load_all(config)
>> >>>     >   File "/usr/lib/ckan/default/src/ckan/ckan/plugins/core.py",
>> line
>> >>>     134,
>> >>>     > in load_all
>> >>>     >     load(*plugins)
>> >>>     >   File "/usr/lib/ckan/default/src/ckan/ckan/plugins/core.py",
>> line
>> >>>     148,
>> >>>     > in load
>> >>>     >     service = _get_service(plugin)
>> >>>     >   File "/usr/lib/ckan/default/src/ckan/ckan/plugins/core.py",
>> line
>> >>>     255,
>> >>>     > in _get_service
>> >>>     >     raise PluginNotFoundException(plugin_name)
>> >>>     > ckan.plugins.core.PluginNotFoundException: pdf_view
>> >>>     >
>> >>>     > Any idea?
>> >>>     >
>> >>>     > --
>> >>>     >
>> >>>     >
>> >>>     > Natália Oliveira
>> >>>     >
>> >>>     >
>> >>>     > _______________________________________________
>> >>>     > ckan-dev mailing list
>> >>>     > ckan-dev at lists.okfn.org <mailto:ckan-dev at lists.okfn.org>
>> >>>     > https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >>>     > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >>>     >
>> >>>
>> >>>     --
>> >>>     Harald von Waldow
>> >>>     Eawag
>> >>>     ICT Services
>> >>>     Ueberlandstrasse 133
>> >>>     8600 Duebendorf
>> >>>     http://www.eawag.ch
>> >>>
>> >>>
>> >>>     _______________________________________________
>> >>>     ckan-dev mailing list
>> >>>     ckan-dev at lists.okfn.org <mailto:ckan-dev at lists.okfn.org>
>> >>>     https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >>>     Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>>
>> >>>
>> >>> Natália Oliveira
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> ckan-dev mailing list
>> >>> ckan-dev at lists.okfn.org
>> >>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >>>
>> >>
>> >> --
>> >> Harald von Waldow
>> >> Eawag
>> >> ICT Services
>> >> Ueberlandstrasse 133
>> >> 8600 Duebendorf
>> >> http://www.eawag.ch
>> >>
>> >>
>> >> _______________________________________________
>> >> ckan-dev mailing list
>> >> ckan-dev at lists.okfn.org
>> >> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >>
>> > _______________________________________________
>> > ckan-dev mailing list
>> > ckan-dev at lists.okfn.org
>> > https://lists.okfn.org/mailman/listinfo/ckan-dev
>> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >
>>
>> --
>> Harald von Waldow
>> Eawag
>> ICT Services
>> Ueberlandstrasse 133
>> 8600 Duebendorf
>> http://www.eawag.ch
>>
>>
>> _______________________________________________
>> ckan-dev mailing list
>> ckan-dev at lists.okfn.org
>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>
>>
>
>
> --
>
>
> Natália Oliveira
>



-- 


Natália Oliveira
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20160118/435c929a/attachment-0003.html>

More information about the ckan-dev mailing list