[ckan-dev] Datastore Search Permissions Error / DB Permissions problem
Matthew Fullerton
matt.fullerton at gmail.com
Wed Feb 8 09:44:26 UTC 2017
To tie up a loose end, I've noticed that this is intended behaviour:
http://docs.ckan.org/en/latest/maintaining/datastore.html#ckanext.datastore.logic.action.datastore_search_sql
,
http://docs.ckan.org/en/latest/maintaining/datastore.html#ckanext.datastore.logic.action.datastore_make_private
And was discussed and never really resolved:
https://github.com/ckan/ckan/issues/1954
-Matt
On 14 Sep 2016 12:28 p.m., "Matthew Fullerton" <matt.fullerton at gmail.com>
wrote:
Anyone? :-D
On 18 August 2016 at 17:51, Matthew Fullerton <matt.fullerton at gmail.com>
wrote:
> I'm getting 403 errors for searches on Datastore tables that are newly
> created. The problem also exists at the DB level (the datastore_default
> user can select from old tables but not the new ones). These are the
> current schema permissions:
> CREATE SCHEMA public
> AUTHORIZATION pgadmin;
>
> GRANT ALL ON SCHEMA public TO pgadmin;
> GRANT ALL ON SCHEMA public TO ckan_default;
> GRANT USAGE ON SCHEMA public TO datastore_default;
> COMMENT ON SCHEMA public
> IS 'standard public schema';
>
> ALTER DEFAULT PRIVILEGES IN SCHEMA public
> GRANT SELECT ON TABLES
> TO datastore_default;
>
> I think the problem is with the last bit. This is supposed to make sure
> SELECT is given to all new tables created [by ckan_default]. This is set up
> by the line in the permissions script:
> ALTER DEFAULT PRIVILEGES FOR USER "ckan_default" IN SCHEMA public
> S GRANT SELECT ON TABLES TO "datastore_default"
>
> I found a reference to this on StackOverflow:
> http://stackoverflow.com/questions/19309416/grant-permission
> s-to-user-for-any-new-tables-created-in-postgresql
> "You can change default privileges only for objects that will be created
> by yourself or by roles that you are a member of."
>
> Is there something set up wrong in the arrangement of
> schema/users/databases/permissions?
>
> In case its relevant I have 2 DBs and 3 users set up in production.ini:
> ckan_default on the CKAN DB, ckan_default on the datastore DB and
> datastore_default on the datastore DB.
>
> Thanks,
> Matt
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20170208/ab60a6ef/attachment-0002.html>
More information about the ckan-dev
mailing list