Trying to solve a SocketError [Errno 13] Permission with PL/Python in PostgreSQL 9.3

Started by Marcos Luis Ortiz Valmasedaalmost 11 years ago12 messagesgeneral
Jump to latest

Regards to all the list.
First all the info about the system:

O.S: CentOS 7 64 bits
PostgreSQL version:

SELECT version();
version
--------------------------------------------------------------------------------------------------------------
PostgreSQL 9.2.7 on x86_64-redhat-linux-gnu, compiled by gcc (GCC)
4.8.2 20140120 (Red Hat 4.8.2-16), 64-bit
(1 row)

Neo4j version: 2.1.M
Py2neo version: 2.0.8
Python version:
python
Python 2.7.5 (default, Jun 17 2014, 18:11:42)
[GCC 4.8.2 20140120 (Red Hat 4.8.2-16)] on linux2

Now the problem:

We are working here to integrate PostgreSQL with Neo4j through PL/Python
using the py2neo module for it, and when we want to send sentences to
Neo4j using port 7474, the executed code raises a SocketError [Errno 13]
Permission denied.

I tested the same code in a normal python script outside of PostgreSQL,
and it works well, but the problem is when I use the code inside
PostgreSQL with PL/Python.
This is the code of a simple function to search a node in the Neo4j graph:

CREATE OR REPLACE FUNCTION search_professor_node(nombre_prof text)
RETURNS text AS
$BODY$
from py2neo import Graph
from py2neo.cypher import CypherTransaction

graph = Graph("http://neo4j:neo4j@10.8.45.136:37474/db/data")
tx = graph.cypher.begin()
statement = "MATCH (pf:Professor) WHERE pf.nombre = {name} RETURN pf;" ,
tx.append(statement, parameters={'name': nombre_prof})
professor= tx.commit()
$BODY$
LANGUAGE plpythonu VOLATILE
COST 100;

and it can be used:
SELECT search_professor_node('Max');

The completed error is:

********** Error **********

ERROR: py2neo.packages.httpstream.http.SocketError: Permission denied
SQL state: XX000
Context: Traceback (most recent call last):
PL/Python function "search_professor_node", line 6, in <module>
tx = graph.cypher.begin()
PL/Python function "search_professor_node", line 666, in cypher
PL/Python function "search_professor_node", line 212, in metadata
PL/Python function "search_professor_node", line 257, in get
PL/Python function "search_professor_node", line 965, in get
PL/Python function "search_professor_node", line 942, in __get_or_head
PL/Python function "search_professor_node", line 432, in submit
PL/Python function "search_professor_node", line 361, in submit
PL/Python function "search_professor_node"

Thanks a lot for your time, and I hope to find a suitable solution for it.

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

#2Tom Lane
tgl@sss.pgh.pa.us
In reply to: Marcos Luis Ortiz Valmaseda (#1)
Re: Trying to solve a SocketError [Errno 13] Permission with PL/Python in PostgreSQL 9.3

Marcos Ortiz <mlortiz@uci.cu> writes:

O.S: CentOS 7 64 bits

We are working here to integrate PostgreSQL with Neo4j through PL/Python
using the py2neo module for it, and when we want to send sentences to
Neo4j using port 7474, the executed code raises a SocketError [Errno 13]
Permission denied.

I tested the same code in a normal python script outside of PostgreSQL,
and it works well, but the problem is when I use the code inside
PostgreSQL with PL/Python.

Probably SELinux is set up to deny random connections originating from the
postgresql daemon. If disabling SELinux makes the problem go away then
that's it. (I do *not* recommend that as a permanent solution, of course.
You'll want to find some finer-grained change to the security policy.
Don't remember enough about SELinux to know what the most likely bet is.)

regards, tom lane

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

#3Adrian Klaver
adrian.klaver@aklaver.com
In reply to: Marcos Luis Ortiz Valmaseda (#1)
Re: Trying to solve a SocketError [Errno 13] Permission with PL/Python in PostgreSQL 9.3

On 05/23/2015 03:27 PM, Marcos Ortiz wrote:

Regards to all the list.
First all the info about the system:

O.S: CentOS 7 64 bits
PostgreSQL version:

SELECT version();
version
--------------------------------------------------------------------------------------------------------------

PostgreSQL 9.2.7 on x86_64-redhat-linux-gnu, compiled by gcc (GCC)
4.8.2 20140120 (Red Hat 4.8.2-16), 64-bit
(1 row)

Neo4j version: 2.1.M
Py2neo version: 2.0.8
Python version:
python
Python 2.7.5 (default, Jun 17 2014, 18:11:42)
[GCC 4.8.2 20140120 (Red Hat 4.8.2-16)] on linux2

Now the problem:

We are working here to integrate PostgreSQL with Neo4j through PL/Python
using the py2neo module for it, and when we want to send sentences to
Neo4j using port 7474, the executed code raises a SocketError [Errno 13]
Permission denied.

Well first in the code below, if I am following correctly, the socket is
37474.

I tested the same code in a normal python script outside of PostgreSQL,
and it works well, but the problem is when I use the code inside
PostgreSQL with PL/Python.

Second the plpythonu code is running as the postgres user, so does that
user have permissions on the socket.

This is the code of a simple function to search a node in the Neo4j graph:

CREATE OR REPLACE FUNCTION search_professor_node(nombre_prof text)
RETURNS text AS
$BODY$
from py2neo import Graph
from py2neo.cypher import CypherTransaction

graph = Graph("http://neo4j:neo4j@10.8.45.136:37474/db/data&quot;)
tx = graph.cypher.begin()
statement = "MATCH (pf:Professor) WHERE pf.nombre = {name} RETURN pf;" ,
tx.append(statement, parameters={'name': nombre_prof})
professor= tx.commit()
$BODY$
LANGUAGE plpythonu VOLATILE
COST 100;

and it can be used:
SELECT search_professor_node('Max');

The completed error is:

********** Error **********

ERROR: py2neo.packages.httpstream.http.SocketError: Permission denied
SQL state: XX000
Context: Traceback (most recent call last):
PL/Python function "search_professor_node", line 6, in <module>
tx = graph.cypher.begin()
PL/Python function "search_professor_node", line 666, in cypher
PL/Python function "search_professor_node", line 212, in metadata
PL/Python function "search_professor_node", line 257, in get
PL/Python function "search_professor_node", line 965, in get
PL/Python function "search_professor_node", line 942, in __get_or_head
PL/Python function "search_professor_node", line 432, in submit
PL/Python function "search_professor_node", line 361, in submit
PL/Python function "search_professor_node"

Thanks a lot for your time, and I hope to find a suitable solution for it.

--
Adrian Klaver
adrian.klaver@aklaver.com

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

In reply to: Tom Lane (#2)
Re: Trying to solve a SocketError [Errno 13] Permission with PL/Python in PostgreSQL 9.3

On 23/05/15 18:38, Tom Lane wrote:

Marcos Ortiz <mlortiz@uci.cu> writes:

O.S: CentOS 7 64 bits
We are working here to integrate PostgreSQL with Neo4j through PL/Python
using the py2neo module for it, and when we want to send sentences to
Neo4j using port 7474, the executed code raises a SocketError [Errno 13]
Permission denied.
I tested the same code in a normal python script outside of PostgreSQL,
and it works well, but the problem is when I use the code inside
PostgreSQL with PL/Python.

Probably SELinux is set up to deny random connections originating from the
postgresql daemon. If disabling SELinux makes the problem go away then
that's it. (I do *not* recommend that as a permanent solution, of course.
You'll want to find some finer-grained change to the security policy.
Don't remember enough about SELinux to know what the most likely bet is.)

regards, tom lane

I'm agree with you, Tom.
I will find the SELinux policy to allow this, because I don't want to
disable SELinux in the system.
Searching in the system with getgetsebool -a | grep postgresql, this was
the result:

postgresql_can_rsync --> off
postgresql_selinux_transmit_client_label --> off
postgresql_selinux_unconfined_dbadm --> on
postgresql_selinux_users_ddl --> on
selinuxuser_postgresql_connect_enabled --> off

--
Marcos Ortiz <http://about.me/marcosortiz&gt;, Sr. Product Manager (Data
Infrastructure) at UCI
@marcosluis2186 <http://twitter.com/marcosluis2186&gt;

In reply to: Adrian Klaver (#3)
Re: Trying to solve a SocketError [Errno 13] Permission with PL/Python in PostgreSQL 9.3

On 23/05/15 18:40, Adrian Klaver wrote:

On 05/23/2015 03:27 PM, Marcos Ortiz wrote:

Regards to all the list.
First all the info about the system:

O.S: CentOS 7 64 bits
PostgreSQL version:

SELECT version();
version
--------------------------------------------------------------------------------------------------------------

PostgreSQL 9.2.7 on x86_64-redhat-linux-gnu, compiled by gcc (GCC)
4.8.2 20140120 (Red Hat 4.8.2-16), 64-bit
(1 row)

Neo4j version: 2.1.M
Py2neo version: 2.0.8
Python version:
python
Python 2.7.5 (default, Jun 17 2014, 18:11:42)
[GCC 4.8.2 20140120 (Red Hat 4.8.2-16)] on linux2

Now the problem:

We are working here to integrate PostgreSQL with Neo4j through PL/Python
using the py2neo module for it, and when we want to send sentences to
Neo4j using port 7474, the executed code raises a SocketError [Errno 13]
Permission denied.

Well first in the code below, if I am following correctly, the socket
is 37474.

Yes, Adrian. Sorry for that, the correct port is 7474. I just was
testing with higher ports to
see if the error persisted.

I tested the same code in a normal python script outside of PostgreSQL,
and it works well, but the problem is when I use the code inside
PostgreSQL with PL/Python.

Second the plpythonu code is running as the postgres user, so does
that user have permissions on the socket.

Did you mean the socket created by Neo4j's server right?
For that reason, I created a group in the system for this named
supervisor, where neo4j/postgres users are members.
So, if I find the socket file for Neo4j-server, changing permissions
could solve the problem. Right?
Neo4j is a Java-based platform.

This is the code of a simple function to search a node in the Neo4j
graph:

CREATE OR REPLACE FUNCTION search_professor_node(nombre_prof text)
RETURNS text AS
$BODY$
from py2neo import Graph
from py2neo.cypher import CypherTransaction

graph = Graph("http://neo4j:neo4j@10.8.45.136:37474/db/data&quot;)
tx = graph.cypher.begin()
statement = "MATCH (pf:Professor) WHERE pf.nombre = {name} RETURN pf;" ,
tx.append(statement, parameters={'name': nombre_prof})
professor= tx.commit()
$BODY$
LANGUAGE plpythonu VOLATILE
COST 100;

and it can be used:
SELECT search_professor_node('Max');

The completed error is:

********** Error **********

ERROR: py2neo.packages.httpstream.http.SocketError: Permission denied
SQL state: XX000
Context: Traceback (most recent call last):
PL/Python function "search_professor_node", line 6, in <module>
tx = graph.cypher.begin()
PL/Python function "search_professor_node", line 666, in cypher
PL/Python function "search_professor_node", line 212, in metadata
PL/Python function "search_professor_node", line 257, in get
PL/Python function "search_professor_node", line 965, in get
PL/Python function "search_professor_node", line 942, in
__get_or_head
PL/Python function "search_professor_node", line 432, in submit
PL/Python function "search_professor_node", line 361, in submit
PL/Python function "search_professor_node"

Thanks a lot for your time, and I hope to find a suitable solution
for it.

--
Marcos Ortiz <http://about.me/marcosortiz&gt;, Sr. Product Manager (Data
Infrastructure) at UCI
@marcosluis2186 <http://twitter.com/marcosluis2186&gt;

#6Adrian Klaver
adrian.klaver@aklaver.com
In reply to: Marcos Luis Ortiz Valmaseda (#5)
Re: Trying to solve a SocketError [Errno 13] Permission with PL/Python in PostgreSQL 9.3

On 05/23/2015 03:51 PM, Marcos Ortiz wrote:

On 23/05/15 18:40, Adrian Klaver wrote:

On 05/23/2015 03:27 PM, Marcos Ortiz wrote:

Regards to all the list.
First all the info about the system:

O.S: CentOS 7 64 bits
PostgreSQL version:

SELECT version();
version
--------------------------------------------------------------------------------------------------------------

PostgreSQL 9.2.7 on x86_64-redhat-linux-gnu, compiled by gcc (GCC)
4.8.2 20140120 (Red Hat 4.8.2-16), 64-bit
(1 row)

Neo4j version: 2.1.M
Py2neo version: 2.0.8
Python version:
python
Python 2.7.5 (default, Jun 17 2014, 18:11:42)
[GCC 4.8.2 20140120 (Red Hat 4.8.2-16)] on linux2

Now the problem:

We are working here to integrate PostgreSQL with Neo4j through PL/Python
using the py2neo module for it, and when we want to send sentences to
Neo4j using port 7474, the executed code raises a SocketError [Errno 13]
Permission denied.

Well first in the code below, if I am following correctly, the socket
is 37474.

Yes, Adrian. Sorry for that, the correct port is 7474. I just was
testing with higher ports to
see if the error persisted.

I tested the same code in a normal python script outside of PostgreSQL,
and it works well, but the problem is when I use the code inside
PostgreSQL with PL/Python.

Second the plpythonu code is running as the postgres user, so does
that user have permissions on the socket.

Did you mean the socket created by Neo4j's server right?
For that reason, I created a group in the system for this named
supervisor, where neo4j/postgres users are members.
So, if I find the socket file for Neo4j-server, changing permissions
could solve the problem. Right?

Not sure, but a quick search found that py2neo uses the neo4j REST API
and that API has authorization parameters:

http://neo4j.com/docs/stable/security-server.html

Have you gone through the above?

Neo4j is a Java-based platform.

This is the code of a simple function to search a node in the Neo4j
graph:

CREATE OR REPLACE FUNCTION search_professor_node(nombre_prof text)
RETURNS text AS
$BODY$
from py2neo import Graph
from py2neo.cypher import CypherTransaction

graph = Graph("http://neo4j:neo4j@10.8.45.136:37474/db/data&quot;)
tx = graph.cypher.begin()
statement = "MATCH (pf:Professor) WHERE pf.nombre = {name} RETURN pf;" ,
tx.append(statement, parameters={'name': nombre_prof})
professor= tx.commit()
$BODY$
LANGUAGE plpythonu VOLATILE
COST 100;

and it can be used:
SELECT search_professor_node('Max');

The completed error is:

********** Error **********

ERROR: py2neo.packages.httpstream.http.SocketError: Permission denied
SQL state: XX000
Context: Traceback (most recent call last):
PL/Python function "search_professor_node", line 6, in <module>
tx = graph.cypher.begin()
PL/Python function "search_professor_node", line 666, in cypher
PL/Python function "search_professor_node", line 212, in metadata
PL/Python function "search_professor_node", line 257, in get
PL/Python function "search_professor_node", line 965, in get
PL/Python function "search_professor_node", line 942, in
__get_or_head
PL/Python function "search_professor_node", line 432, in submit
PL/Python function "search_professor_node", line 361, in submit
PL/Python function "search_professor_node"

Thanks a lot for your time, and I hope to find a suitable solution
for it.

--
Marcos Ortiz <http://about.me/marcosortiz&gt;, Sr. Product Manager (Data
Infrastructure) at UCI
@marcosluis2186 <http://twitter.com/marcosluis2186&gt;

--
Adrian Klaver
adrian.klaver@aklaver.com

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

In reply to: Adrian Klaver (#6)
Re: Trying to solve a SocketError [Errno 13] Permission with PL/Python in PostgreSQL 9.3

On 23/05/15 19:09, Adrian Klaver wrote:

On 05/23/2015 03:51 PM, Marcos Ortiz wrote:

On 23/05/15 18:40, Adrian Klaver wrote:

On 05/23/2015 03:27 PM, Marcos Ortiz wrote:

Regards to all the list.
First all the info about the system:

O.S: CentOS 7 64 bits
PostgreSQL version:

SELECT version();
version
--------------------------------------------------------------------------------------------------------------

PostgreSQL 9.2.7 on x86_64-redhat-linux-gnu, compiled by gcc (GCC)
4.8.2 20140120 (Red Hat 4.8.2-16), 64-bit
(1 row)

Neo4j version: 2.1.M
Py2neo version: 2.0.8
Python version:
python
Python 2.7.5 (default, Jun 17 2014, 18:11:42)
[GCC 4.8.2 20140120 (Red Hat 4.8.2-16)] on linux2

Now the problem:

We are working here to integrate PostgreSQL with Neo4j through
PL/Python
using the py2neo module for it, and when we want to send sentences to
Neo4j using port 7474, the executed code raises a SocketError
[Errno 13]
Permission denied.

Well first in the code below, if I am following correctly, the socket
is 37474.

Yes, Adrian. Sorry for that, the correct port is 7474. I just was
testing with higher ports to
see if the error persisted.

I tested the same code in a normal python script outside of
PostgreSQL,
and it works well, but the problem is when I use the code inside
PostgreSQL with PL/Python.

Second the plpythonu code is running as the postgres user, so does
that user have permissions on the socket.

Did you mean the socket created by Neo4j's server right?
For that reason, I created a group in the system for this named
supervisor, where neo4j/postgres users are members.
So, if I find the socket file for Neo4j-server, changing permissions
could solve the problem. Right?

Not sure, but a quick search found that py2neo uses the neo4j REST API
and that API has authorization parameters:

http://neo4j.com/docs/stable/security-server.html

Have you gone through the above?

Yes, Adrian. py2neo installs a tool called neoauth, which can be used to
create users with their respective passwords.
For that reason, I use this way to create the graph:

graph = Graph("http://neo4j:neo4j@10.8.45.136:7474/db/data&quot;)
using the user neo4j and its pass neo4j

Neo4j is a Java-based platform.

This is the code of a simple function to search a node in the Neo4j
graph:

CREATE OR REPLACE FUNCTION search_professor_node(nombre_prof text)
RETURNS text AS
$BODY$
from py2neo import Graph
from py2neo.cypher import CypherTransaction

graph = Graph("http://neo4j:neo4j@10.8.45.136:37474/db/data&quot;)
tx = graph.cypher.begin()
statement = "MATCH (pf:Professor) WHERE pf.nombre = {name} RETURN
pf;" ,
tx.append(statement, parameters={'name': nombre_prof})
professor= tx.commit()
$BODY$
LANGUAGE plpythonu VOLATILE
COST 100;

and it can be used:
SELECT search_professor_node('Max');

The completed error is:

********** Error **********

ERROR: py2neo.packages.httpstream.http.SocketError: Permission denied
SQL state: XX000
Context: Traceback (most recent call last):
PL/Python function "search_professor_node", line 6, in <module>
tx = graph.cypher.begin()
PL/Python function "search_professor_node", line 666, in cypher
PL/Python function "search_professor_node", line 212, in metadata
PL/Python function "search_professor_node", line 257, in get
PL/Python function "search_professor_node", line 965, in get
PL/Python function "search_professor_node", line 942, in
__get_or_head
PL/Python function "search_professor_node", line 432, in submit
PL/Python function "search_professor_node", line 361, in submit
PL/Python function "search_professor_node"

Thanks a lot for your time, and I hope to find a suitable solution
for it.

--
Marcos Ortiz <http://about.me/marcosortiz&gt;, Sr. Product Manager (Data
Infrastructure) at UCI
@marcosluis2186 <http://twitter.com/marcosluis2186&gt;

--
Marcos Ortiz <http://about.me/marcosortiz&gt;, Sr. Product Manager (Data
Infrastructure) at UCI
@marcosluis2186 <http://twitter.com/marcosluis2186&gt;

#8Adrian Klaver
adrian.klaver@aklaver.com
In reply to: Marcos Luis Ortiz Valmaseda (#7)
Re: Trying to solve a SocketError [Errno 13] Permission with PL/Python in PostgreSQL 9.3

On 05/23/2015 04:16 PM, Marcos Ortiz wrote:

On 23/05/15 19:09, Adrian Klaver wrote:

On 05/23/2015 03:51 PM, Marcos Ortiz wrote:

On 23/05/15 18:40, Adrian Klaver wrote:

On 05/23/2015 03:27 PM, Marcos Ortiz wrote:

Regards to all the list.
First all the info about the system:

O.S: CentOS 7 64 bits
PostgreSQL version:

SELECT version();
version
--------------------------------------------------------------------------------------------------------------

PostgreSQL 9.2.7 on x86_64-redhat-linux-gnu, compiled by gcc (GCC)
4.8.2 20140120 (Red Hat 4.8.2-16), 64-bit
(1 row)

Neo4j version: 2.1.M
Py2neo version: 2.0.8
Python version:
python
Python 2.7.5 (default, Jun 17 2014, 18:11:42)
[GCC 4.8.2 20140120 (Red Hat 4.8.2-16)] on linux2

Now the problem:

We are working here to integrate PostgreSQL with Neo4j through
PL/Python
using the py2neo module for it, and when we want to send sentences to
Neo4j using port 7474, the executed code raises a SocketError
[Errno 13]
Permission denied.

Well first in the code below, if I am following correctly, the socket
is 37474.

Yes, Adrian. Sorry for that, the correct port is 7474. I just was
testing with higher ports to
see if the error persisted.

I tested the same code in a normal python script outside of
PostgreSQL,
and it works well, but the problem is when I use the code inside
PostgreSQL with PL/Python.

Second the plpythonu code is running as the postgres user, so does
that user have permissions on the socket.

Did you mean the socket created by Neo4j's server right?
For that reason, I created a group in the system for this named
supervisor, where neo4j/postgres users are members.
So, if I find the socket file for Neo4j-server, changing permissions
could solve the problem. Right?

Not sure, but a quick search found that py2neo uses the neo4j REST API
and that API has authorization parameters:

http://neo4j.com/docs/stable/security-server.html

Have you gone through the above?

Yes, Adrian. py2neo installs a tool called neoauth, which can be used to
create users with their respective passwords.
For that reason, I use this way to create the graph:

graph = Graph("http://neo4j:neo4j@10.8.45.136:7474/db/data&quot;)
using the user neo4j and its pass neo4j

From a quick look at the neo4j security docs, it seems the server by
default only accepts connections from localhost. So where is the neo4j
server in relation to the Postgres server and the stand alone Python
script that runs?

Neo4j is a Java-based platform.

This is the code of a simple function to search a node in the Neo4j
graph:

CREATE OR REPLACE FUNCTION search_professor_node(nombre_prof text)
RETURNS text AS
$BODY$
from py2neo import Graph
from py2neo.cypher import CypherTransaction

graph = Graph("http://neo4j:neo4j@10.8.45.136:37474/db/data&quot;)
tx = graph.cypher.begin()
statement = "MATCH (pf:Professor) WHERE pf.nombre = {name} RETURN
pf;" ,
tx.append(statement, parameters={'name': nombre_prof})
professor= tx.commit()
$BODY$
LANGUAGE plpythonu VOLATILE
COST 100;

and it can be used:
SELECT search_professor_node('Max');

The completed error is:

********** Error **********

ERROR: py2neo.packages.httpstream.http.SocketError: Permission denied
SQL state: XX000
Context: Traceback (most recent call last):
PL/Python function "search_professor_node", line 6, in <module>
tx = graph.cypher.begin()
PL/Python function "search_professor_node", line 666, in cypher
PL/Python function "search_professor_node", line 212, in metadata
PL/Python function "search_professor_node", line 257, in get
PL/Python function "search_professor_node", line 965, in get
PL/Python function "search_professor_node", line 942, in
__get_or_head
PL/Python function "search_professor_node", line 432, in submit
PL/Python function "search_professor_node", line 361, in submit
PL/Python function "search_professor_node"

Thanks a lot for your time, and I hope to find a suitable solution
for it.

--
Marcos Ortiz <http://about.me/marcosortiz&gt;, Sr. Product Manager (Data
Infrastructure) at UCI
@marcosluis2186 <http://twitter.com/marcosluis2186&gt;

--
Marcos Ortiz <http://about.me/marcosortiz&gt;, Sr. Product Manager (Data
Infrastructure) at UCI
@marcosluis2186 <http://twitter.com/marcosluis2186&gt;

--
Adrian Klaver
adrian.klaver@aklaver.com

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

#9Adrian Klaver
adrian.klaver@aklaver.com
In reply to: Marcos Luis Ortiz Valmaseda (#7)
Re: Trying to solve a SocketError [Errno 13] Permission with PL/Python in PostgreSQL 9.3

On 05/23/2015 04:16 PM, Marcos Ortiz wrote:

On 23/05/15 19:09, Adrian Klaver wrote:

On 05/23/2015 03:51 PM, Marcos Ortiz wrote:

On 23/05/15 18:40, Adrian Klaver wrote:

On 05/23/2015 03:27 PM, Marcos Ortiz wrote:

Regards to all the list.
First all the info about the system:

O.S: CentOS 7 64 bits
PostgreSQL version:

SELECT version();
version
--------------------------------------------------------------------------------------------------------------

PostgreSQL 9.2.7 on x86_64-redhat-linux-gnu, compiled by gcc (GCC)
4.8.2 20140120 (Red Hat 4.8.2-16), 64-bit
(1 row)

Neo4j version: 2.1.M
Py2neo version: 2.0.8
Python version:
python
Python 2.7.5 (default, Jun 17 2014, 18:11:42)
[GCC 4.8.2 20140120 (Red Hat 4.8.2-16)] on linux2

Now the problem:

We are working here to integrate PostgreSQL with Neo4j through
PL/Python
using the py2neo module for it, and when we want to send sentences to
Neo4j using port 7474, the executed code raises a SocketError
[Errno 13]
Permission denied.

Well first in the code below, if I am following correctly, the socket
is 37474.

Yes, Adrian. Sorry for that, the correct port is 7474. I just was
testing with higher ports to
see if the error persisted.

I tested the same code in a normal python script outside of
PostgreSQL,
and it works well, but the problem is when I use the code inside
PostgreSQL with PL/Python.

Second the plpythonu code is running as the postgres user, so does
that user have permissions on the socket.

Did you mean the socket created by Neo4j's server right?
For that reason, I created a group in the system for this named
supervisor, where neo4j/postgres users are members.
So, if I find the socket file for Neo4j-server, changing permissions
could solve the problem. Right?

Not sure, but a quick search found that py2neo uses the neo4j REST API
and that API has authorization parameters:

http://neo4j.com/docs/stable/security-server.html

Have you gone through the above?

Yes, Adrian. py2neo installs a tool called neoauth, which can be used to
create users with their respective passwords.
For that reason, I use this way to create the graph:

graph = Graph("http://neo4j:neo4j@10.8.45.136:7474/db/data&quot;)
using the user neo4j and its pass neo4j

Not sure if it applies but see here:

http://neo4j.com/docs/stable/rest-api-security.html
"When Neo4j is first installed you can authenticate with the default
user neo4j and the default password neo4j. However, the default password
must be changed (see the section called “User status and password
changing”) before access to resources will be permitted. ..."

--
Adrian Klaver
adrian.klaver@aklaver.com

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

In reply to: Adrian Klaver (#9)
Re: Trying to solve a SocketError [Errno 13] Permission with PL/Python in PostgreSQL 9.3

Sorry for the late response.

On 23/05/15 19:38, Adrian Klaver wrote:

On 05/23/2015 04:16 PM, Marcos Ortiz wrote:

On 23/05/15 19:09, Adrian Klaver wrote:

On 05/23/2015 03:51 PM, Marcos Ortiz wrote:

On 23/05/15 18:40, Adrian Klaver wrote:

On 05/23/2015 03:27 PM, Marcos Ortiz wrote:

Regards to all the list.
First all the info about the system:

O.S: CentOS 7 64 bits
PostgreSQL version:

SELECT version();
version
--------------------------------------------------------------------------------------------------------------

PostgreSQL 9.2.7 on x86_64-redhat-linux-gnu, compiled by gcc (GCC)
4.8.2 20140120 (Red Hat 4.8.2-16), 64-bit
(1 row)

Neo4j version: 2.1.M
Py2neo version: 2.0.8
Python version:
python
Python 2.7.5 (default, Jun 17 2014, 18:11:42)
[GCC 4.8.2 20140120 (Red Hat 4.8.2-16)] on linux2

Now the problem:

We are working here to integrate PostgreSQL with Neo4j through
PL/Python
using the py2neo module for it, and when we want to send
sentences to
Neo4j using port 7474, the executed code raises a SocketError
[Errno 13]
Permission denied.

Well first in the code below, if I am following correctly, the socket
is 37474.

Yes, Adrian. Sorry for that, the correct port is 7474. I just was
testing with higher ports to
see if the error persisted.

I tested the same code in a normal python script outside of
PostgreSQL,
and it works well, but the problem is when I use the code inside
PostgreSQL with PL/Python.

Second the plpythonu code is running as the postgres user, so does
that user have permissions on the socket.

Did you mean the socket created by Neo4j's server right?
For that reason, I created a group in the system for this named
supervisor, where neo4j/postgres users are members.
So, if I find the socket file for Neo4j-server, changing permissions
could solve the problem. Right?

Not sure, but a quick search found that py2neo uses the neo4j REST API
and that API has authorization parameters:

http://neo4j.com/docs/stable/security-server.html

Have you gone through the above?

Yes, Adrian. py2neo installs a tool called neoauth, which can be used to
create users with their respective passwords.
For that reason, I use this way to create the graph:

graph = Graph("http://neo4j:neo4j@10.8.45.136:7474/db/data&quot;)
using the user neo4j and its pass neo4j

Not sure if it applies but see here:

http://neo4j.com/docs/stable/rest-api-security.html
"When Neo4j is first installed you can authenticate with the default
user neo4j and the default password neo4j. However, the default
password must be changed (see the section called “User status and
password changing”) before access to resources will be permitted. ..."

Yes, I changed the password.
It seems that the problem was with SELinux.
I disabled it for a moment to make a simple test y everything worked.
But, like Tom said, I don´t want SELinux disabled in my systems, so I
will find out the
security label who is blocking this in CentOS, and enable it again.
When I find it, I will send the solution to the list.
Best wishes and thanks again for your time.

--
Marcos Ortiz <http://about.me/marcosortiz&gt;, Sr. Product Manager (Data
Infrastructure) at UCI
@marcosluis2186 <http://twitter.com/marcosluis2186&gt;

#11Adrian Klaver
adrian.klaver@aklaver.com
In reply to: Marcos Luis Ortiz Valmaseda (#10)
Re: Trying to solve a SocketError [Errno 13] Permission with PL/Python in PostgreSQL 9.3

On 05/24/2015 04:15 PM, Marcos Ortiz wrote:

Sorry for the late response.

Not sure if it applies but see here:

http://neo4j.com/docs/stable/rest-api-security.html
"When Neo4j is first installed you can authenticate with the default
user neo4j and the default password neo4j. However, the default
password must be changed (see the section called “User status and
password changing”) before access to resources will be permitted. ..."

Yes, I changed the password.
It seems that the problem was with SELinux.
I disabled it for a moment to make a simple test y everything worked.
But, like Tom said, I don´t want SELinux disabled in my systems, so I
will find out the
security label who is blocking this in CentOS, and enable it again.
When I find it, I will send the solution to the list.

Glad you found the cause and thanks for following up. Nice to be able to
close the loop on a problem.

Best wishes and thanks again for your time.

--
Marcos Ortiz <http://about.me/marcosortiz&gt;, Sr. Product Manager (Data
Infrastructure) at UCI
@marcosluis2186 <http://twitter.com/marcosluis2186&gt;

--
Adrian Klaver
adrian.klaver@aklaver.com

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

In reply to: Adrian Klaver (#11)
SOLVED: Trying to solve a SocketError [Errno 13] Permission with PL/Python in PostgreSQL 9.3

Regards, Adrian, Tom and all pgsql-general list.
Like Tom said, the problem was with SELinux and I found the policy which
caused all problems:
grep denied audit.log | audit2allow

#============= postgresql_t ==============

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow postgresql_t ephemeral_port_t:tcp_socket name_connect;

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow postgresql_t unreserved_port_t:tcp_socket name_connect;

I checked that boolean with:

# getsebool -a | grep nis_enabled
nis_enabled --> off

Then, I changed it to on, and everything works well with SELinux enabled
by default.
Thanks again for the time and patience.

On 24/05/15 19:43, Adrian Klaver wrote:

On 05/24/2015 04:15 PM, Marcos Ortiz wrote:

Sorry for the late response.

Not sure if it applies but see here:

http://neo4j.com/docs/stable/rest-api-security.html
"When Neo4j is first installed you can authenticate with the default
user neo4j and the default password neo4j. However, the default
password must be changed (see the section called “User status and
password changing”) before access to resources will be permitted. ..."

Yes, I changed the password.
It seems that the problem was with SELinux.
I disabled it for a moment to make a simple test y everything worked.
But, like Tom said, I don´t want SELinux disabled in my systems, so I
will find out the
security label who is blocking this in CentOS, and enable it again.
When I find it, I will send the solution to the list.

Glad you found the cause and thanks for following up. Nice to be able
to close the loop on a problem.

Best wishes and thanks again for your time.

--
Marcos Ortiz <http://about.me/marcosortiz&gt;, Sr. Product Manager (Data
Infrastructure) at UCI
@marcosluis2186 <http://twitter.com/marcosluis2186&gt;

--
Marcos Ortiz <http://about.me/marcosortiz&gt;, Sr. Product Manager (Data
Infrastructure) at UCI
@marcosluis2186 <http://twitter.com/marcosluis2186&gt;