[ckan-dev] DataStore permission problems
Ian Ward
ian at excess.org
Wed Jun 14 15:44:42 UTC 2017
There was also work started to remove the use of postres per-table
permissions for private resources, was it
https://github.com/ckan/ckan/pull/2570 ?
Would be really nice to get that work finished off so that calls like
datastore_search_sql and this one can work when you're logged in.
On Wed, Jun 14, 2017 at 11:21 AM, <Florian.Brucker at it.karlsruhe.de> wrote:
> Dear Matt,
>
> it is indeed a private dataset. Querying a public dataset works as expected.
> Thanks for the tip!
>
> IMHO it might be acceptable if I cannot query private resources via the
> DataStore API (even if I own them and have authenticated myself using my
> API-key), but in that case I should get a meaningful, permissions-related
> error and not a 500. I've updated the issue you've linked to
> (https://github.com/ckan/ckan/issues/1954).
>
>
> Best regards,
> Florian
>
>
>
> "ckan-dev" <ckan-dev-bounces at lists.okfn.org> schrieb am 14.06.2017 15:21:45:
>
>> Von: Matthew Fullerton <matt.fullerton at gmail.com>
>> An: CKAN Development Discussions <ckan-dev at lists.okfn.org>,
>> Datum: 14.06.2017 15:22
>> Betreff: Re: [ckan-dev] DataStore permission problems
>> Gesendet von: "ckan-dev" <ckan-dev-bounces at lists.okfn.org>
>>
>> Dear Florian,
>> Is it a private dataset?
>>
>> https://lists.okfn.org/pipermail/ckan-dev/2017-February/010781.html
>>
>> -Matt
>>
>> On 14 June 2017 at 14:26, <Florian.Brucker at it.karlsruhe.de> wrote:
>> Hello everybody,
>>
>> I'm running into permission problems when trying to get information
>> about a resource via the DataStore API.
>>
>> The resource in question has successfully been uploaded to the
>> DataStore via the DataPusher as I can see from the "DataStore" tab
>> when editing the resource. However, when I try to query the
>> DataStore about the resource via the API I get an internal server
>> error (HTTP 500):
>>
>>
>> $ http POST https://transparenz.karlsruhe.de/api/3/action/datastore_info
>> id=50b5a6e3-76ee-43e1-908d-b6dd63e77b5d Authorization:XXX
>>
>> HTTP/1.1 500 Internal Server Error
>> Connection: keep-alive
>> Content-Length: 175
>> Content-Type: text/html; charset=utf8
>> Date: Wed, 14 Jun 2017 12:08:44 GMT
>> Server: nginx/1.11.2
>> Strict-Transport-Security: max-age=31536000
>> Vary: X-Forwarded-Proto,X-Forwarded-Port
>>
>> <html>
>> <head>
>> <title>Server Error</title>
>>
>> </head>
>> <body>
>> <h1>Server Error</h1>
>> An internal server error occurred
>>
>> </body>
>> </html>
>>
>>
>> The Apache logs then say
>>
>>
>> Error - <class 'sqlalchemy.exc.ProgrammingError'>:
>> (ProgrammingError) permission denied for relation
>> 50b5a6e3-76ee-43e1-908d-b6dd63e77b5d
>> '\\n SELECT count(_id) FROM "50b5a6e3-76ee-43e1-908d-
>> b6dd63e77b5d";\\n ' {}
>>
>>
>> I have set the database permissions as described in the
>> documentation via "paster datastore set-permissions ...". psql tells me:
>>
>>
>> postgres=# \l datastore_default
>> Liste der Datenbanken
>> Name | Eigentümer | Kodierung | Sortierfolge |
>> Zeichentyp | Zugriffsprivilegien
>> -------------------+--------------+-----------+--------------
>> +-------------+----------------------------------
>> datastore_default | ckan_default | UTF8 | en_US.UTF-8 |
>> en_US.UTF-8 | ckan_default=CTc/ckan_default +
>> | | | |
>> | =Tc/ckan_default +
>> | | | |
>> | datastore_default=c/ckan_default
>>
>>
>>
>> Finally, in my production.ini I have
>>
>>
>> ckan.datastore.write_url = postgresql://
>> ckan_default:XXX at transparenz.karlsruhe.de/datastore_default
>> ckan.datastore.read_url = postgresql://
>> datastore_default:XXX at transparenz.karlsruhe.de/datastore_default
>>
>>
>> This is on CKAN 2.6.2 and PostgreSQL 9.5.
>>
>> Any ideas what could be the problem?
>>
>>
>> Best regards,
>> Florian
>>
>>
>> _______________________________________________
>> ckan-dev mailing list
>> ckan-dev at lists.okfn.org
>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
>> _______________________________________________
>> ckan-dev mailing list
>> ckan-dev at lists.okfn.org
>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
More information about the ckan-dev
mailing list