[ckan-dev] Unable to set permission to DataStore

Harald von Waldow harald.vonwaldow at eawag.ch
Mon Jan 18 21:11:40 UTC 2016


You need to pipe the output from paster to psql. It has just told you so:

paster datastore set-permissions | sudo -u postgres psql


On 18.01.2016 19:12, Natalia Queiroz wrote:
> Hello group,
> 
> I got it using the command
> 
> (default)root at localhost:/etc/ckan/default# paster --plugin=ckan
> datastore set-permissions -c /etc/ckan/default/production.ini
> 2016-01-18 15:41:33,818 WARNI [ckanext.datastore.plugin] Omitting
> permission checks because you are running paster commands.
> /*
> This script configures the permissions for the datastore.
> 
> It ensures that the datastore read-only user will only be able to select
> from
> the datastore database but has no create/write/edit permission or any
> permissions on other databases. You must execute this script as a database
> superuser on the PostgreSQL server that hosts your datastore database.
> 
> For example, if PostgreSQL is running locally and the "postgres" user
> has the
> appropriate permissions (as in the default Ubuntu PostgreSQL install),
> you can
> run:
> 
>     paster datastore set-permissions | sudo -u postgres psql
> 
> Or, if your PostgreSQL server is remote, you can pipe the permissions script
> over SSH:
> 
>     paster datastore set-permissions | ssh dbserver sudo -u postgres psql
> 
> */
> 
> -- Most of the following commands apply to an explicit database or to
> the whole
> -- 'public' schema, and could be executed anywhere. But ALTER DEFAULT
> -- PERMISSIONS applies to the current database, and so we must be
> connected to
> -- the datastore DB:
> \connect datastore_default
> 
> -- revoke permissions for the read-only user
> REVOKE CREATE ON SCHEMA public FROM PUBLIC;
> REVOKE USAGE ON SCHEMA public FROM PUBLIC;
> 
> GRANT CREATE ON SCHEMA public TO "ckan_default";
> GRANT USAGE ON SCHEMA public TO "ckan_default";
> 
> GRANT CREATE ON SCHEMA public TO "ckan_default";
> GRANT USAGE ON SCHEMA public TO "ckan_default";
> 
> -- take connect permissions from main db
> REVOKE CONNECT ON DATABASE "ckan_default" FROM "datastore_default";
> 
> -- grant select permissions for read-only user
> GRANT CONNECT ON DATABASE "datastore_default" TO "datastore_default";
> GRANT USAGE ON SCHEMA public TO "datastore_default";
> 
> -- grant access to current tables and views to read-only user
> GRANT SELECT ON ALL TABLES IN SCHEMA public TO "datastore_default";
> 
> -- grant access to new tables and views by default
> ALTER DEFAULT PRIVILEGES FOR USER "ckan_default" IN SCHEMA public
>    GRANT SELECT ON TABLES TO "datastore_default";
> 
> 
> After restart Ckan, I tested the set-up using curl command
> 
> (default)root at localhost:/etc/ckan/default# curl -X GET
> "http://ckan.jbrj.gov.br/api/3/action/datastore_search?resource_id=_table_metadata"
> {"help":
> "http://ckan.jbrj.gov.br/api/3/action/help_show?name=datastore_search",
> "success": true, "result": {"resource_id": "_table_metadata", "fields":
> [{"type": "text", "id": "_id"}, {"type": "name", "id": "name"}, {"type":
> "oid", "id": "oid"}, {"type": "name", "id": "alias_of"}], "records":
> [{"_id": "1fab8662e5772995", "alias_of": "pg_views", "name":
> "_table_metadata", "oid": 84889}, {"_id": "21b5fe766665b205",
> "alias_of": "pg_tables", "name": "_table_metadata", "oid": 84889}],
> "_links": {"start":
> "/api/3/action/datastore_search?resource_id=_table_metadata", "next":
> "/api/3/action/datastore_search?offset=100&resource_id=_table_metadata"}, "total":
> 2}}
> 
> 
> The issue now is that I receiving thos error when I access a resource
> information
> 
> [Mon Jan 18 15:48:33 2016] [error] [client IP] Error - <class
> 'sqlalchemy.exc.ProgrammingError'>: (ProgrammingError) ERRO:
> permiss\xc3\xa3o negada para rela\xc3\xa7\xc
> 3\xa3o _table_metadata
> 
> Any idea?
> 
> 
> On Mon, Jan 18, 2016 at 11:21 AM, Natalia Queiroz
> <queiroz.nati at gmail.com <mailto:queiroz.nati at gmail.com>> wrote:
> 
>     Hello Harold, I'm using ckan version 2.4
> 
>     On Fri, Jan 15, 2016 at 11:56 AM, Harald von Waldow
>     <harald.vonwaldow at eawag.ch <mailto:harald.vonwaldow at eawag.ch>> wrote:
> 
>         Or Natalia looked at the wrong docu-version. Natalia, which
>         version of
>         CKAN are you running?
> 
>         On 15.01.2016 13:32, David Read wrote:
>         > Harald,
>         > I can see no error in the documentation here. I think Natalia
>         just misread it.
>         >
>         http://docs.ckan.org/en/latest/maintaining/datastore.html#set-permissions
>         > David
>         >
>         > On 14 January 2016 at 22:22, Harald von Waldow
>         > <harald.vonwaldow at eawag.ch <mailto:harald.vonwaldow at eawag.ch>>
>         wrote:
>         >> I guess there is an error in the documentation. Try this:
>         >>
>         >> paster --plugin=ckan datastore set-permissions
>         >> -c /etc/ckan/default/production.ini| sudo -u postgres psql
>         >>
>         >> I guess it is also not such a good idea to run everything as
>         root ...
>         >>
>         >> Cheers,
>         >> Harald
>         >>
>         >> On 14.01.2016 22:01, Natalia Queiroz wrote:
>         >>> Hello Harold,
>         >>>
>         >>> I removed the pdf_view, now I got this ...
>         >>>
>         >>> (default)root at localhost:/home/nataliaoliveira# paster
>         --plugin=ckan
>         >>> datastore set-permissions postgres -c
>         /etc/ckan/default/production.ini
>         >>> 2016-01-14 18:56:53,648 WARNI [ckanext.datastore.plugin]
>         Omitting
>         >>> permission checks because you are running paster commands.
>         >>> usage: paster datastore [-h] {set-permissions} ...
>         >>> paster datastore: error: unrecognized arguments: postgres
>         >>>
>         >>>
>         >>>
>         >>>
>         >>>
>         >>> On Thu, Jan 14, 2016 at 5:41 PM, Harald von Waldow
>         >>> <harald.vonwaldow at eawag.ch
>         <mailto:harald.vonwaldow at eawag.ch>
>         <mailto:harald.vonwaldow at eawag.ch
>         <mailto:harald.vonwaldow at eawag.ch>>> wrote:
>         >>>
>         >>>     Remove pdf_view from ckan.plugins in your production.ini or,
>         >>>     alternatively, install ckanext-pdfview
>         >>>     (https://github.com/ckan/ckanext-pdfview).
>         >>>
>         >>>     Cheers,
>         >>>     Harald
>         >>>
>         >>>     On 14.01.2016 20:09, Natalia Queiroz wrote:
>         >>>     > Hello group,
>         >>>     >
>         >>>     > I'm following the ckan documentation to install
>         DataStore on my
>         >>>     environment.
>         >>>     >
>         >>>     >
>         >>>   
>          http://docs.ckan.org/en/ckan-2.4.1/maintaining/datastore.html#datapusher-automatically-add-data-to-the-datastore
>         >>>     >
>         >>>     > In the topic Set permissions, this is the error from
>         the command
>         >>>     >
>         >>>     > root at localhost:/etc/ckan/default# .
>         /usr/lib/ckan/default/bin/activate
>         >>>     > (default)root at localhost:/etc/ckan/default# cd
>         >>>     /usr/lib/ckan/default/src/ckan
>         >>>     >
>         (default)root at localhost:/usr/lib/ckan/default/src/ckan# paster
>         >>>     > --plugin=ckan datastore set-permissions postgres -c
>         >>>     > /etc/ckan/default/production.ini
>         >>>     > Traceback (most recent call last):
>         >>>     >   File "/usr/lib/ckan/default/bin/paster", line 9, in
>         <module>
>         >>>     >     load_entry_point('PasteScript==1.7.5',
>         'console_scripts',
>         >>>     'paster')()
>         >>>     >   File
>         >>>     >
>         >>>   
>          "/usr/lib/ckan/default/local/lib/python2.7/site-packages/paste/script/command.py",
>         >>>     > line 104, in run
>         >>>     >     invoke(command, command_name, options, args[1:])
>         >>>     >   File
>         >>>     >
>         >>>   
>          "/usr/lib/ckan/default/local/lib/python2.7/site-packages/paste/script/command.py",
>         >>>     > line 143, in invoke
>         >>>     >     exit_code = runner.run(args)
>         >>>     >   File
>         >>>     >
>         >>>   
>          "/usr/lib/ckan/default/local/lib/python2.7/site-packages/paste/script/command.py",
>         >>>     > line 238, in run
>         >>>     >     result = self.command()
>         >>>     >   File
>         "/usr/lib/ckan/default/src/ckan/ckanext/datastore/commands.py",
>         >>>     > line 70, in command
>         >>>     >     self._load_config()
>         >>>     >   File
>         "/usr/lib/ckan/default/src/ckan/ckan/lib/cli.py", line 147, in
>         >>>     > _load_config
>         >>>     >     load_environment(conf.global_conf, conf.local_conf)
>         >>>     >   File
>         >>>   
>          "/usr/lib/ckan/default/src/ckan/ckan/config/environment.py", line
>         >>>     > 232, in load_environment
>         >>>     >     p.load_all(config)
>         >>>     >   File
>         "/usr/lib/ckan/default/src/ckan/ckan/plugins/core.py", line
>         >>>     134,
>         >>>     > in load_all
>         >>>     >     load(*plugins)
>         >>>     >   File
>         "/usr/lib/ckan/default/src/ckan/ckan/plugins/core.py", line
>         >>>     148,
>         >>>     > in load
>         >>>     >     service = _get_service(plugin)
>         >>>     >   File
>         "/usr/lib/ckan/default/src/ckan/ckan/plugins/core.py", line
>         >>>     255,
>         >>>     > in _get_service
>         >>>     >     raise PluginNotFoundException(plugin_name)
>         >>>     > ckan.plugins.core.PluginNotFoundException: pdf_view
>         >>>     >
>         >>>     > Any idea?
>         >>>     >
>         >>>     > --
>         >>>     >
>         >>>     >
>         >>>     > Natália Oliveira
>         >>>     >
>         >>>     >
>         >>>     > _______________________________________________
>         >>>     > ckan-dev mailing list
>         >>>     > ckan-dev at lists.okfn.org
>         <mailto:ckan-dev at lists.okfn.org> <mailto:ckan-dev at lists.okfn.org
>         <mailto:ckan-dev at lists.okfn.org>>
>         >>>     > https://lists.okfn.org/mailman/listinfo/ckan-dev
>         >>>     > Unsubscribe:
>         https://lists.okfn.org/mailman/options/ckan-dev
>         >>>     >
>         >>>
>         >>>     --
>         >>>     Harald von Waldow
>         >>>     Eawag
>         >>>     ICT Services
>         >>>     Ueberlandstrasse 133
>         >>>     8600 Duebendorf
>         >>>     http://www.eawag.ch
>         >>>
>         >>>
>         >>>     _______________________________________________
>         >>>     ckan-dev mailing list
>         >>>     ckan-dev at lists.okfn.org <mailto:ckan-dev at lists.okfn.org>
>         <mailto:ckan-dev at lists.okfn.org <mailto:ckan-dev at lists.okfn.org>>
>         >>>     https://lists.okfn.org/mailman/listinfo/ckan-dev
>         >>>     Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>         >>>
>         >>>
>         >>>
>         >>>
>         >>> --
>         >>>
>         >>>
>         >>> Natália Oliveira
>         >>>
>         >>>
>         >>> _______________________________________________
>         >>> ckan-dev mailing list
>         >>> ckan-dev at lists.okfn.org <mailto:ckan-dev at lists.okfn.org>
>         >>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>         >>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>         >>>
>         >>
>         >> --
>         >> Harald von Waldow
>         >> Eawag
>         >> ICT Services
>         >> Ueberlandstrasse 133
>         >> 8600 Duebendorf
>         >> http://www.eawag.ch
>         >>
>         >>
>         >> _______________________________________________
>         >> ckan-dev mailing list
>         >> ckan-dev at lists.okfn.org <mailto:ckan-dev at lists.okfn.org>
>         >> https://lists.okfn.org/mailman/listinfo/ckan-dev
>         >> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>         >>
>         > _______________________________________________
>         > ckan-dev mailing list
>         > ckan-dev at lists.okfn.org <mailto:ckan-dev at lists.okfn.org>
>         > https://lists.okfn.org/mailman/listinfo/ckan-dev
>         > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>         >
> 
>         --
>         Harald von Waldow
>         Eawag
>         ICT Services
>         Ueberlandstrasse 133
>         8600 Duebendorf
>         http://www.eawag.ch
> 
> 
>         _______________________________________________
>         ckan-dev mailing list
>         ckan-dev at lists.okfn.org <mailto:ckan-dev at lists.okfn.org>
>         https://lists.okfn.org/mailman/listinfo/ckan-dev
>         Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> 
> 
> 
> 
>     -- 
> 
> 
>     Natália Oliveira
> 
> 
> 
> 
> -- 
> 
> 
> Natália Oliveira
> 
> 
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> 

-- 
Harald von Waldow
Eawag
ICT Services
Ueberlandstrasse 133
8600 Duebendorf
http://www.eawag.ch

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20160118/2e0df5ff/attachment-0003.sig>


More information about the ckan-dev mailing list