Comments (5)
Here are the log entries from the promscale side:
level=warn ts=2022-11-30T00:39:30.247Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_duration_seconds (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:39:35.367Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_duration_seconds (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:39:40.408Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_duration_seconds (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:39:45.441Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_samples_scraped (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:39:50.504Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_samples_scraped (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:39:55.653Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_series_added (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:40:00.709Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_duration_seconds (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:40:05.766Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_duration_seconds (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:40:10.831Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_samples_scraped (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:40:15.879Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_duration_seconds (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:40:20.916Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_duration_seconds (SQLSTATE 42501)" num_samples=45
level=warn ts=2022-11-30T00:40:25.957Z caller=write.go:244 msg="Error sending samples to remote storage" err="copier: writing series: error setting series_id: reading series id rows: ERROR: permission denied for table scrape_series_added (SQLSTATE 42501)" num_samples=45
The low-privilege user has every right to every table in the database. And, these messages coincide with the messages logged in the first post.
from promscale.
@prime-minister-of-fun did you by any chance changed the permissions of the user that was super user AFTER installing Promscale?
Could you run these two queries and paste the results here?
SELECT proname,proowner::regrole
FROM pg_proc
WHERE pronamespace::regnamespace::text = '_prom_catalog'
AND proname = 'create_ingest_temp_table';
SELECT r.rolname, r.rolsuper, r.rolinherit,
r.rolcreaterole, r.rolcreatedb, r.rolcanlogin,
r.rolconnlimit, r.rolvaliduntil,
ARRAY(SELECT b.rolname
FROM pg_catalog.pg_auth_members m
JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
WHERE m.member = r.oid) as memberof
, r.rolreplication
, r.rolbypassrls
FROM pg_catalog.pg_roles r
WHERE r.rolname !~ '^pg_'
ORDER BY 1;
from promscale.
Hi,
Thanks for the quick reply. I used a superuser account to initialize the database and extensions. Then, used the low-privilege role to run promscale. I assumed there would be some permissions to give and ownership to modify, but, obviously could not get this last permissions issue resolved.
The first query returned no results. The second query returns:
rolname | rolsuper | rolinherit | rolcreaterole | rolcreatedb | rolcanlogin | rolconnlimit | rolvaliduntil | memberof | rolreplication | rolbypassrls
-------------------+----------+------------+---------------+-------------+-------------+--------------+---------------+------------------------------------------------------------------------+----------------+--------------
grafana_backend | f | t | f | f | t | -1 | | {} | f | f
postgres | t | t | t | t | t | -1 | | {prom_reader,prom_writer,prom_modifier,prom_admin,prom_maintenance} | t | t
prom_admin | f | t | f | f | f | -1 | | {prom_modifier,prom_maintenance} | f | f
prom_maintenance | f | t | f | f | f | -1 | | {prom_reader} | f | f
prom_modifier | f | t | f | f | f | -1 | | {prom_writer} | f | f
prom_reader | f | t | f | f | f | -1 | | {} | f | f
prom_writer | f | t | f | f | f | -1 | | {prom_reader} | f | f
promscale_backend | f | t | f | f | t | -1 | | {pg_read_server_files,pg_write_server_files,pg_execute_server_program} | f | f
superuser | t | t | f | f | t | -1 | | {} | f | f
Looks like maybe my low-privilege role promscale_backend needs to belong to prom_reader and prom_writer??
I was fiddling with roles pg_read_server_files,pg_write_server_files,pg_execute_server_program for promscale_backend role to see if that fixed the permission denied messages.
Finally, the deployment in our environment would be split in two like described above. The DBA deploys the extensions in a new database created by a superuser, then the promscale app runs as a limited-privilege role.
from promscale.
Given your scenario, you need to make your promscale_backend
user a member of prom_admin
Additionally, you may want to ask to give your promscale_backend
CREATE permissions on the database you are using for Promscale which will allow the connector to install / upgrade PostgreSQL extensions. This will make upgrades easier when the upgrade also involves a Promscale extension and/or TimescaleDB upgrade because the new version of the Promscale connector (the promscale container) will automatically upgrade the extension when started and reduce downtime (you'll still need to ask the DBA to make the latest versions of those extensions available in the PostgreSQL database). The alternative is to coordinate the upgrade with your DBA. You'll have to stop the Promscale connector, then the DBA will have to install and upgrade the extension and finally you'll have to launch the latest version of the connector.
I hope it's clear. Let me know if you have any further questions.
from promscale.
Thank you for the clear explanation.
The DBA performs upgrades in our environment. A little off-hours downtime during an upgrade is acceptable.
from promscale.
Related Issues (20)
- Modify the vacuum engine to be more adaptive and use less CPU HOT 1
- Empty resultset on instant query regex HOT 3
- insert with on conflict or returning clause is not supported on compressed chunks HOT 10
- Change DB SSL default to prefer from require
- Error setting series ids: error filling labels: ERROR: relation \"prom_data_series.$A_BUNCH_OF_TABLES HOT 2
- Add product telemetry for HTTP JSON streaming endpoint
- Question: Is there a command to prune data for metrics? HOT 1
- Fail to use unix sockets (URI parsing issues)
- Consider metric-metadata when operating under high-availability
- In read-only mode shouldn't apply dataset config
- Unclear how/when/where to create a role with minimal privileges to read timeseries data in docker-compose setup
- Metrics retention job performance improved by recycling connections
- Possible problem with query builder, when quering intervals less than 12 hours
- Release 0.17.0
- Support promscale extension 0.8.0 HOT 3
- Can't create continuous aggregate on ps_trace.span
- Promscale has been discontinued HOT 7
- Prom-migrator mem killed
- Reporting a vulnerability HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from promscale.