Describe the bug I'm attempting to run the database connection fo

Here are the log entries from the promscale side: <div class="snippet-clipboard-co

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Permission denied for table s1_scrape_series_added from stdin binary,about timescale/promscale

Comments (5)

prime-minister-of-fun commented on June 2, 2024

Here are the log entries from the promscale side:

level=warn ts=2022-11-30T00:39:30.247Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_duration_seconds (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:39:35.367Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_duration_seconds (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:39:40.408Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_duration_seconds (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:39:45.441Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_samples_scraped (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:39:50.504Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_samples_scraped (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:39:55.653Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_series_added (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:40:00.709Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_duration_seconds (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:40:05.766Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_duration_seconds (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:40:10.831Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_samples_scraped (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:40:15.879Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_duration_seconds (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:40:20.916Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_duration_seconds (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:40:25.957Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_series_added (SQLSTATE 42501)" num_samples=45

The low-privilege user has every right to every table in the database. And, these messages coincide with the messages logged in the first post.

from promscale.

ramonguiu commented on June 2, 2024

@prime-minister-of-fun did you by any chance changed the permissions of the user that was super user AFTER installing Promscale?

Could you run these two queries and paste the results here?

SELECT proname,proowner::regrole
FROM pg_proc
WHERE pronamespace::regnamespace::text = '_prom_catalog'
  AND proname = 'create_ingest_temp_table';

SELECT r.rolname, r.rolsuper, r.rolinherit,
  r.rolcreaterole, r.rolcreatedb, r.rolcanlogin,
  r.rolconnlimit, r.rolvaliduntil,
  ARRAY(SELECT b.rolname
        FROM pg_catalog.pg_auth_members m
        JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
        WHERE m.member = r.oid) as memberof
, r.rolreplication
, r.rolbypassrls
FROM pg_catalog.pg_roles r
WHERE r.rolname !~ '^pg_'
ORDER BY 1;

from promscale.

prime-minister-of-fun commented on June 2, 2024

Hi,
Thanks for the quick reply. I used a superuser account to initialize the database and extensions. Then, used the low-privilege role to run promscale. I assumed there would be some permissions to give and ownership to modify, but, obviously could not get this last permissions issue resolved.

The first query returned no results. The second query returns:

      rolname      | rolsuper | rolinherit | rolcreaterole | rolcreatedb | rolcanlogin | rolconnlimit | rolvaliduntil |                                memberof                                | rolreplication | rolbypassrls 
-------------------+----------+------------+---------------+-------------+-------------+--------------+---------------+------------------------------------------------------------------------+----------------+--------------
 grafana_backend   | f        | t          | f             | f           | t           |           -1 |               | {}                                                                     | f              | f
 postgres          | t        | t          | t             | t           | t           |           -1 |               | {prom_reader,prom_writer,prom_modifier,prom_admin,prom_maintenance}    | t              | t
 prom_admin        | f        | t          | f             | f           | f           |           -1 |               | {prom_modifier,prom_maintenance}                                       | f              | f
 prom_maintenance  | f        | t          | f             | f           | f           |           -1 |               | {prom_reader}                                                          | f              | f
 prom_modifier     | f        | t          | f             | f           | f           |           -1 |               | {prom_writer}                                                          | f              | f
 prom_reader       | f        | t          | f             | f           | f           |           -1 |               | {}                                                                     | f              | f
 prom_writer       | f        | t          | f             | f           | f           |           -1 |               | {prom_reader}                                                          | f              | f
 promscale_backend | f        | t          | f             | f           | t           |           -1 |               | {pg_read_server_files,pg_write_server_files,pg_execute_server_program} | f              | f
 superuser         | t        | t          | f             | f           | t           |           -1 |               | {}                                                                     | f              | f

Looks like maybe my low-privilege role promscale_backend needs to belong to prom_reader and prom_writer??
I was fiddling with roles pg_read_server_files,pg_write_server_files,pg_execute_server_program for promscale_backend role to see if that fixed the permission denied messages.

Finally, the deployment in our environment would be split in two like described above. The DBA deploys the extensions in a new database created by a superuser, then the promscale app runs as a limited-privilege role.

from promscale.

ramonguiu commented on June 2, 2024

Given your scenario, you need to make your promscale_backend user a member of prom_admin

Additionally, you may want to ask to give your promscale_backend CREATE permissions on the database you are using for Promscale which will allow the connector to install / upgrade PostgreSQL extensions. This will make upgrades easier when the upgrade also involves a Promscale extension and/or TimescaleDB upgrade because the new version of the Promscale connector (the promscale container) will automatically upgrade the extension when started and reduce downtime (you'll still need to ask the DBA to make the latest versions of those extensions available in the PostgreSQL database). The alternative is to coordinate the upgrade with your DBA. You'll have to stop the Promscale connector, then the DBA will have to install and upgrade the extension and finally you'll have to launch the latest version of the connector.

I hope it's clear. Let me know if you have any further questions.

from promscale.

prime-minister-of-fun commented on June 2, 2024

Thank you for the clear explanation.

The DBA performs upgrades in our environment. A little off-hours downtime during an upgrade is acceptable.

from promscale.

Permission denied for table s1_scrape_series_added from stdin binary about promscale HOT 5 CLOSED

Comments (5)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent