[ckan-dev] Datastore Search Permissions Error / DB Permissions problem

Matthew Fullerton matt.fullerton at gmail.com
Wed Sep 14 10:28:58 UTC 2016


Anyone? :-D

On 18 August 2016 at 17:51, Matthew Fullerton <matt.fullerton at gmail.com>
wrote:

> I'm getting 403 errors for searches on Datastore tables that are newly
> created. The problem also exists at the DB level (the datastore_default
> user can select from old tables but not the new ones). These are the
> current schema permissions:
> CREATE SCHEMA public
>   AUTHORIZATION pgadmin;
>
> GRANT ALL ON SCHEMA public TO pgadmin;
> GRANT ALL ON SCHEMA public TO ckan_default;
> GRANT USAGE ON SCHEMA public TO datastore_default;
> COMMENT ON SCHEMA public
>   IS 'standard public schema';
>
> ALTER DEFAULT PRIVILEGES IN SCHEMA public
>     GRANT SELECT ON TABLES
>     TO datastore_default;
>
> I think the problem is with the last bit. This is supposed to make sure
> SELECT is given to all new tables created [by ckan_default]. This is set up
> by the line in the permissions script:
> ALTER DEFAULT PRIVILEGES FOR USER "ckan_default" IN SCHEMA public
>                S   GRANT SELECT ON TABLES TO "datastore_default"
>
> I found a reference to this on StackOverflow:
> http://stackoverflow.com/questions/19309416/grant-
> permissions-to-user-for-any-new-tables-created-in-postgresql
> "You can change default privileges only for objects that will be created
> by yourself or by roles that you are a member of."
>
> Is there something set up wrong in the arrangement of
> schema/users/databases/permissions?
>
> In case its relevant I have 2 DBs and 3 users set up in production.ini:
> ckan_default on the CKAN DB, ckan_default on the datastore DB and
> datastore_default on the datastore DB.
>
> Thanks,
> Matt
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20160914/73e9ed53/attachment-0002.html>


More information about the ckan-dev mailing list