Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bx70P-0003oy-Qb for pgadmin-hackers@arkaria.postgresql.org; Thu, 20 Oct 2016 06:39:10 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.84_2) (envelope-from ) id 1bx70P-0000Js-D7 for pgadmin-hackers@arkaria.postgresql.org; Thu, 20 Oct 2016 06:39:09 +0000 Received: from makus.postgresql.org ([2001:4800:1501:1::229]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1bx707-0008C3-KY for pgadmin-hackers@postgresql.org; Thu, 20 Oct 2016 06:38:52 +0000 Received: from mail-lf0-x22e.google.com ([2a00:1450:4010:c07::22e]) by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.84_2) (envelope-from ) id 1bx702-0002WL-To for pgadmin-hackers@postgresql.org; Thu, 20 Oct 2016 06:38:50 +0000 Received: by mail-lf0-x22e.google.com with SMTP id l131so64288650lfl.2 for ; Wed, 19 Oct 2016 23:38:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=hErxo5mUcNITT35y1cJ4w8lyUxXbEpP0t1yYTVYtbjw=; b=QfmGOsnqPMz3vK4MfTXUTTGjxDthCStuIOTuZ6evKlgnm9EeX2Wnxb7NfjTmf95t5i xbI6It3GdYx38h8Awv5i4/CRLGWGLZcC2GXRfgcj2c41OBUx6prq8VtFw2zg4XvyN9MJ o3oDcIJC+eq+32aXtW3TPwEIvwYLw2vmabQC7HX9VO+lNfdn/NSo8PuSDqOBGrCQY9D2 lnwqh8pHqufaybYRMamf3fvhrUK7ppwIlmoqSZ4szf0UPpCqOyHMG0F3Sg5V+1Ejn+qg 9jC+0ChnuS3K3PoplHIP85V6ggDVpCWooGid2NK6uGqJBTF9798cGmhdDtsGk3+i4aY7 UJUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=hErxo5mUcNITT35y1cJ4w8lyUxXbEpP0t1yYTVYtbjw=; b=OiLqRbK2YY8RPZboETAtNa1fmnyH7Jj9ssZuz/1T1Hh1cg/Ylvx9miwqEBddfo+zeP Vppx/8EAQUdEVh5KTb7NwNWJiiakKIDs2P5sv/4FJorwK7VIqqXedXF3vcgTkOBZhQMZ cPg786/c1TgNGrgUR6Tv4saYqjH01gKksFdIv/SFA7qAXKcouLO/V94g/5XkguYdk+lT /Eav+HZ0f0Ib6BC4PUuwMIrZD6geCHEzyAysBl/PXAQ4qH8bt6yqBX/Xs+y/y5MkLKAh aHeVj6iYrDO1hKSZwbJXB7kpkzsOUtldO9kZwh5L9683A3JbfOcapk5x2WzcOsVxncuY JGOg== X-Gm-Message-State: AA6/9Rl/+eH5Gjnud5kFvzieL86HxFTNPr7j0IweGJNCyB9wI6nwyK3VR4Jo2AIK6Qsq+u8D0KYk2P+8ORo7zJGI X-Received: by 10.25.12.78 with SMTP id 75mr10334677lfm.177.1476945523147; Wed, 19 Oct 2016 23:38:43 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.92.219 with HTTP; Wed, 19 Oct 2016 23:38:41 -0700 (PDT) In-Reply-To: References: From: Fahar Abbas Date: Thu, 20 Oct 2016 11:38:41 +0500 Message-ID: Subject: Re: RM1849: Auto-generating security keys To: Murtuza Zabuawala Cc: Dave Page , Ashesh Vashi , pgadmin-hackers , Josh Berkus , =?UTF-8?B?RGV2cmltIEfDnE5Ew5xa?= , Magnus Hagander , Sandeep Thakkar , Hamid Quddus Akhtar Content-Type: multipart/alternative; boundary=001a113eb1fc429f7b053f462dc3 X-Pg-Spam-Score: -2.6 (--) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgadmin-hackers Precedence: bulk Sender: pgadmin-hackers-owner@postgresql.org --001a113eb1fc429f7b053f462dc3 Content-Type: text/plain; charset=UTF-8 I tried different variations and when launch pgAdmin4 with web browser still exception displayed when user deleted .pgadmin folder Here is the output: ------------------------ python pgAdmin4.py Starting pgAdmin 4. Please navigate to http://localhost:5050 in your browser. Exception in thread Thread-1: Traceback (most recent call last): File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner self.run() File "/usr/lib/python3.5/threading.py", line 862, in run self._target(*self._args, **self._kwargs) File "/usr/lib/python3.5/socketserver.py", line 628, in process_request_thread self.handle_error(request, client_address) File "/usr/lib/python3.5/socketserver.py", line 625, in process_request_thread self.finish_request(request, client_address) File "/usr/lib/python3.5/socketserver.py", line 354, in finish_request self.RequestHandlerClass(request, client_address, self) File "/usr/lib/python3.5/socketserver.py", line 681, in __init__ self.handle() File "/home/fahar/venv/lib/python3.5/site-packages/werkzeug/serving.py", line 200, in handle rv = BaseHTTPRequestHandler.handle(self) File "/usr/lib/python3.5/http/server.py", line 415, in handle self.handle_one_request() File "/home/fahar/venv/lib/python3.5/site-packages/werkzeug/serving.py", line 235, in handle_one_request return self.run_wsgi() File "/home/fahar/venv/lib/python3.5/site-packages/werkzeug/serving.py", line 177, in run_wsgi execute(self.server.app) File "/home/fahar/venv/lib/python3.5/site-packages/werkzeug/serving.py", line 165, in execute application_iter = app(environ, start_response) File "/home/fahar/venv/lib/python3.5/site-packages/flask/app.py", line 2000, in __call__ return self.wsgi_app(environ, start_response) File "/home/fahar/venv/lib/python3.5/site-packages/flask/app.py", line 1991, in wsgi_app response = self.make_response(self.handle_exception(e)) File "/home/fahar/venv/lib/python3.5/site-packages/flask/app.py", line 1567, in handle_exception reraise(exc_type, exc_value, tb) File "/home/fahar/venv/lib/python3.5/site-packages/flask/_compat.py", line 33, in reraise raise value File "/home/fahar/venv/lib/python3.5/site-packages/flask/app.py", line 1988, in wsgi_app response = self.full_dispatch_request() File "/home/fahar/venv/lib/python3.5/site-packages/flask/app.py", line 1643, in full_dispatch_request response = self.process_response(response) File "/home/fahar/venv/lib/python3.5/site-packages/flask/app.py", line 1864, in process_response self.save_session(ctx.session, response) File "/home/fahar/venv/lib/python3.5/site-packages/flask/app.py", line 926, in save_session return self.session_interface.save_session(self, session, response) File "/home/fahar/Projects/pgadmin4/web/pgadmin/utils/session.py", line 267, in save_session self.manager.put(session) File "/home/fahar/Projects/pgadmin4/web/pgadmin/utils/session.py", line 144, in put self.parent.put(session) File "/home/fahar/Projects/pgadmin4/web/pgadmin/utils/session.py", line 214, in put session.sign(self.secret) File "/home/fahar/Projects/pgadmin4/web/pgadmin/utils/session.py", line 71, in sign self.hmac_digest = _calc_hmac('%s:%s' % (self.sid, self.randval), secret) File "/home/fahar/Projects/pgadmin4/web/pgadmin/utils/session.py", line 44, in _calc_hmac secret.encode(), body.encode(), hashlib.sha1 AttributeError: 'bytes' object has no attribute 'encode' On Thu, Oct 20, 2016 at 11:00 AM, Murtuza Zabuawala < murtuza.zabuawala@enterprisedb.com> wrote: > Could you delete 'keys' table from pgadmin4.db file & try again? > > -- > Regards, > Murtuza Zabuawala > EnterpriseDB: http://www.enterprisedb.com > The Enterprise PostgreSQL Company > > On Thu, Oct 20, 2016 at 11:26 AM, Fahar Abbas < > fahar.abbas@enterprisedb.com> wrote: > >> Murtaza, >> >> I have applied this patch and there is no success on new pgAdmin4 setup >> as well as existing pgAdmin4 setup. >> >> On Thu, Oct 20, 2016 at 10:45 AM, Murtuza Zabuawala < >> murtuza.zabuawala@enterprisedb.com> wrote: >> >>> Hi, >>> >>> PFA patch to fix the issue for Pyhton3. >>> RM#1849 >>> >>> -- >>> Regards, >>> Murtuza Zabuawala >>> EnterpriseDB: http://www.enterprisedb.com >>> The Enterprise PostgreSQL Company >>> >>> On Thu, Oct 20, 2016 at 11:03 AM, Fahar Abbas < >>> fahar.abbas@enterprisedb.com> wrote: >>> >>>> Hi Dave, >>>> >>>> I have reopened following RM: >>>> ================================ >>>> https://redmine.postgresql.org/issues/1849 >>>> >>>> On Wed, Oct 19, 2016 at 6:04 PM, Dave Page wrote: >>>> >>>>> Patch applied. >>>>> >>>>> On Wed, Oct 19, 2016 at 11:55 AM, Ashesh Vashi < >>>>> ashesh.vashi@enterprisedb.com> wrote: >>>>> >>>>>> Hi Fahar, >>>>>> >>>>>> Please log the case on redmine. >>>>>> Please find the attached patch, please apply it locally, and test it. >>>>>> >>>>>> And, please update the case, and this mail chain accordingly. >>>>>> >>>>>> -- >>>>>> >>>>>> Thanks & Regards, >>>>>> >>>>>> Ashesh Vashi >>>>>> EnterpriseDB INDIA: Enterprise PostgreSQL Company >>>>>> >>>>>> >>>>>> >>>>>> *http://www.linkedin.com/in/asheshvashi* >>>>>> >>>>>> >>>>>> On Wed, Oct 19, 2016 at 3:47 PM, Fahar Abbas < >>>>>> fahar.abbas@enterprisedb.com> wrote: >>>>>> >>>>>>> Here is the output of if we copy config_local.py and execute python >>>>>>> setup.py >>>>>>> pgAdmin 4 - Application Initialisation >>>>>>> ====================================== >>>>>>> >>>>>>> >>>>>>> The configuration database - '/home/fahar/.pgadmin/pgadmin4.db' >>>>>>> does not exist. >>>>>>> Entering initial setup mode... >>>>>>> NOTE: Configuring authentication for SERVER mode. >>>>>>> >>>>>>> >>>>>>> Enter the email address and password to use for the initial >>>>>>> pgAdmin user account: >>>>>>> >>>>>>> Email address: fahar.abbas@enterprisedb.com >>>>>>> Password: >>>>>>> Retype password: >>>>>>> Traceback (most recent call last): >>>>>>> File "setup.py", line 449, in >>>>>>> do_setup(app) >>>>>>> File "setup.py", line 96, in do_setup >>>>>>> password = encrypt_password(p1) >>>>>>> File "/home/fahar/venv/lib/python3.5/site-packages/flask_security/utils.py", >>>>>>> line 150, in encrypt_password >>>>>>> signed = get_hmac(password).decode('ascii') >>>>>>> File "/home/fahar/venv/lib/python3.5/site-packages/flask_security/utils.py", >>>>>>> line 108, in get_hmac >>>>>>> 'set to "%s"' % _security.password_hash) >>>>>>> RuntimeError: The configuration value `SECURITY_PASSWORD_SALT` must >>>>>>> not be None when the value of `SECURITY_PASSWORD_HASH` is set to >>>>>>> "pbkdf2_sha512" >>>>>>> python setup.py >>>>>>> pgAdmin 4 - Application Initialisation >>>>>>> ====================================== >>>>>>> >>>>>>> User can not do any setup for web based now. >>>>>>> >>>>>>> >>>>>>> The configuration database - '/home/fahar/.pgadmin/pgadmin4.db' >>>>>>> does not exist. >>>>>>> Entering initial setup mode... >>>>>>> NOTE: Configuring authentication for SERVER mode. >>>>>>> >>>>>>> >>>>>>> Enter the email address and password to use for the initial >>>>>>> pgAdmin user account: >>>>>>> >>>>>>> Email address: fahar.abbas@enterprisedb.com >>>>>>> Password: >>>>>>> Retype password: >>>>>>> Traceback (most recent call last): >>>>>>> File "setup.py", line 449, in >>>>>>> do_setup(app) >>>>>>> File "setup.py", line 96, in do_setup >>>>>>> password = encrypt_password(p1) >>>>>>> File "/home/fahar/venv/lib/python3.5/site-packages/flask_security/utils.py", >>>>>>> line 150, in encrypt_password >>>>>>> signed = get_hmac(password).decode('ascii') >>>>>>> File "/home/fahar/venv/lib/python3.5/site-packages/flask_security/utils.py", >>>>>>> line 108, in get_hmac >>>>>>> 'set to "%s"' % _security.password_hash) >>>>>>> RuntimeError: The configuration value `SECURITY_PASSWORD_SALT` must >>>>>>> not be None when the value of `SECURITY_PASSWORD_HASH` is set to >>>>>>> "pbkdf2_sha512" >>>>>>> >>>>>>> On Wed, Oct 19, 2016 at 3:03 PM, Fahar Abbas < >>>>>>> fahar.abbas@enterprisedb.com> wrote: >>>>>>> >>>>>>>> Dave, >>>>>>>> >>>>>>>> Testing Environment >>>>>>>> >>>>>>>> Ubuntu 16.04 Linux 64: >>>>>>>> -------------------------------- >>>>>>>> >>>>>>>> pg-AdminIV Development Environment Setup for Ubuntu : >>>>>>>> >>>>>>>> >>>>>>>> 1) Install GIT >>>>>>>> >>>>>>>> sudo apt-get install git >>>>>>>> >>>>>>>> 2) Install pip3 >>>>>>>> >>>>>>>> sudo apt-get install python3-pip >>>>>>>> >>>>>>>> 3) Install virtualenv >>>>>>>> >>>>>>>> sudo pip3 install virtualenv >>>>>>>> >>>>>>>> 4) install below dependency as it is required for psycopg2 & >>>>>>>> pycrypto module >>>>>>>> >>>>>>>> sudo apt-get install libpq-dev >>>>>>>> >>>>>>>> sudo apt-get install python3-dev >>>>>>>> >>>>>>>> 5) Create virtual environment >>>>>>>> >>>>>>>> virtualenv -p python3 venv >>>>>>>> >>>>>>>> 6) Create mkdir Projects >>>>>>>> >>>>>>>> 7) Clone git repo in Projects >>>>>>>> >>>>>>>> git clone http://git.postgresql.org/git/pgadmin4.git >>>>>>>> >>>>>>>> 8) activate virtual environment >>>>>>>> >>>>>>>> source venv/bin/activate >>>>>>>> >>>>>>>> 9) Install modules >>>>>>>> >>>>>>>> pip3 install -r requirements_py3.txt >>>>>>>> >>>>>>>> *10) Edit the config.py file to config_local.py resides in >>>>>>>> Projects\pgAdmin4\web * >>>>>>>> >>>>>>>> 11)Now run setup.py file (\Projects\pgAdmin4\web) >>>>>>>> python setup.py >>>>>>>> >>>>>>>> If user does not create config_local.py and do Python setup.py for >>>>>>>> new Development then SECURITY_PASSWORD_SALT message is also displayed: >>>>>>>> >>>>>>>> Here is the output: >>>>>>>> ------------------------- >>>>>>>> >>>>>>>> python setup.py >>>>>>>> pgAdmin 4 - Application Initialisation >>>>>>>> ====================================== >>>>>>>> >>>>>>>> >>>>>>>> The configuration database - '/home/fahar/.pgadmin/pgadmin4.db' >>>>>>>> does not exist. >>>>>>>> Entering initial setup mode... >>>>>>>> NOTE: Configuring authentication for SERVER mode. >>>>>>>> >>>>>>>> >>>>>>>> Enter the email address and password to use for the initial >>>>>>>> pgAdmin user account: >>>>>>>> >>>>>>>> Email address: fahar.abbas@enterprisedb.com >>>>>>>> Password: >>>>>>>> Retype password: >>>>>>>> Traceback (most recent call last): >>>>>>>> File "setup.py", line 449, in >>>>>>>> do_setup(app) >>>>>>>> File "setup.py", line 96, in do_setup >>>>>>>> password = encrypt_password(p1) >>>>>>>> File "/home/fahar/venv/lib/python3.5/site-packages/flask_security/utils.py", >>>>>>>> line 150, in encrypt_password >>>>>>>> signed = get_hmac(password).decode('ascii') >>>>>>>> File "/home/fahar/venv/lib/python3.5/site-packages/flask_security/utils.py", >>>>>>>> line 108, in get_hmac >>>>>>>> 'set to "%s"' % _security.password_hash) >>>>>>>> RuntimeError: The configuration value `SECURITY_PASSWORD_SALT` must >>>>>>>> not be None when the value of `SECURITY_PASSWORD_HASH` is set to >>>>>>>> "pbkdf2_sha512" >>>>>>>> (venv) fahar@fahar-virtual-machine:~/Projects/pgadmin4/web$ >>>>>>>> >>>>>>>> >>>>>>>> Is this expected? >>>>>>>> >>>>>>>> On Wed, Oct 19, 2016 at 1:37 PM, Fahar Abbas < >>>>>>>> fahar.abbas@enterprisedb.com> wrote: >>>>>>>> >>>>>>>>> Sure, >>>>>>>>> >>>>>>>>> Will test this thoroughly after complete investigation. >>>>>>>>> >>>>>>>>> Kind Regards, >>>>>>>>> >>>>>>>>> On Wed, Oct 19, 2016 at 1:27 PM, Dave Page >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Patch applied. >>>>>>>>>> >>>>>>>>>> Fahar, can you please test this thoroughly in desktop and server >>>>>>>>>> modes, with both fresh and upgraded installations? >>>>>>>>>> >>>>>>>>>> https://redmine.postgresql.org/issues/1849 >>>>>>>>>> >>>>>>>>>> Packagers: This change means that packages are no longer forced >>>>>>>>>> to create a config_local.py file, and there is no longer any need to >>>>>>>>>> explicitly set SECURITY_PASSWORD_SALT, SECURITY_KEY >>>>>>>>>> and CSRF_SESSION_KEY in the config (in fact, they should be removed for new >>>>>>>>>> installations, if you have included them in 1.0) >>>>>>>>>> >>>>>>>>>> Thanks. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wed, Oct 19, 2016 at 6:46 AM, Ashesh Vashi < >>>>>>>>>> ashesh.vashi@enterprisedb.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Dave, >>>>>>>>>>> >>>>>>>>>>> On Sat, Oct 15, 2016 at 8:02 AM, Dave Page >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Friday, October 14, 2016, Dave Page >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi >>>>>>>>>>>>> >>>>>>>>>>>>> On Thursday, October 13, 2016, Ashesh Vashi < >>>>>>>>>>>>> ashesh.vashi@enterprisedb.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi Dave, >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Tue, Oct 11, 2016 at 9:10 PM, Dave Page >>>>>>>>>>>>> > wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi Ashesh, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Can you please review the attached patch, and apply if >>>>>>>>>>>>>>> you're happy with it? >>>>>>>>>>>>>>> >>>>>>>>>>>>>> Overall the patch looked good to me. >>>>>>>>>>>>>> But - I encounter an issue in 'web' mode, which wont happen >>>>>>>>>>>>>> with 'runtime'. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Steps for reproduction on existing pgAdmin 4 environment with >>>>>>>>>>>>>> 'web' mode. >>>>>>>>>>>>>> - Apply the patch >>>>>>>>>>>>>> - Start the pgAdmin4 application (stand alone application). >>>>>>>>>>>>>> - Open pgAdmin home page. >>>>>>>>>>>>>> - Log out (if already login). >>>>>>>>>>>>>> >>>>>>>>>>>>>> And, you will see an exception. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I have figure out the issue with the patch. >>>>>>>>>>>>>> We were setting the SECURITY_PASSWORD_SALT, after >>>>>>>>>>>>>> initializing the Security object. >>>>>>>>>>>>>> Hence - it could not set the SECURITY_KEY, and >>>>>>>>>>>>>> SECURITY_PASSWORD_SALT properly. >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Hmm. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> I had moved the Security object initialization after fetching >>>>>>>>>>>>>> these configurations from the database. >>>>>>>>>>>>>> I have attached a addon patch for the same. >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> OK, thanks. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Now - I run into another issue. >>>>>>>>>>>>>> Because - the existing password was hashed using the old >>>>>>>>>>>>>> SECURITY_PASSWORD_SALT, I am no more able to login to pgAdmin 4. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I think - we need to think about different strategy for >>>>>>>>>>>>>> upgrading the configuration file in the 'web' mode. >>>>>>>>>>>>>> I was thinking - we can store the existing security >>>>>>>>>>>>>> configurations in the database during upgrade process in 'web' mode. >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> My concern with that is that we'll likely be storing the >>>>>>>>>>>>> default config values in many cases, thus for those users, perpetuating the >>>>>>>>>>>>> problem. >>>>>>>>>>>>> >>>>>>>>>>>>> I guess what we need to do is re-encrypt the password during >>>>>>>>>>>>> the upgrade - however, that makes me think; we then have both the key and >>>>>>>>>>>>> the encrypted passwords in the same database which is clearly not a good >>>>>>>>>>>>> idea. Sigh... Needs more thought. >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> OK, so I've been thinking about this and experimenting for a >>>>>>>>>>>> couple of hours, as well as annoying the crap out of Magnus by thinking out >>>>>>>>>>>> loud in his general direction, and it looks like this isn't a major problem >>>>>>>>>>>> as from what I can see, SECURITY_PASSWORD_SALT is (aside from really being >>>>>>>>>>>> a key not a salt) not the only salting that's done. >>>>>>>>>>>> >>>>>>>>>>>> It looks like it's used system-wide as the key to generate an >>>>>>>>>>>> HMAC of the users password, which is then passed to passlib which salts and >>>>>>>>>>>> hashes it. I did some testing, and found that two users with the same >>>>>>>>>>>> password end up with different hashes in the database, so clearly there is >>>>>>>>>>>> also per-user salting happening. I also created two users, then dropped the >>>>>>>>>>>> database and created the same user accounts with the same passwords again, >>>>>>>>>>>> and found that the resulting hashes were different in both databases - thus >>>>>>>>>>>> there is something else ensuring the hashes are unique across different >>>>>>>>>>>> installations/databases. >>>>>>>>>>>> >>>>>>>>>>>> So, I believe we can do as you suggest and migrate existing >>>>>>>>>>>> values for SECURITY_PASSWORD_SALT, given that there's clearly some other >>>>>>>>>>>> per user and per installation/database salting going on anyway. New >>>>>>>>>>>> installations can have the random value for SECURITY_PASSWORD_SALT. >>>>>>>>>>>> >>>>>>>>>>> We do not need to generate the random SECURITY_PASSWORD_SALT >>>>>>>>>>> during upgrade mode, which was wrong added in my addon patch. >>>>>>>>>>> >>>>>>>>>>> Please find the updated patch. >>>>>>>>>>> >>>>>>>>>>> Otherwise - looks good to me. >>>>>>>>>>> Please commit the new patch (if you're ok with the change). >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> >>>>>>>>>>> Thanks & Regards, >>>>>>>>>>> >>>>>>>>>>> Ashesh Vashi >>>>>>>>>>> EnterpriseDB INDIA: Enterprise PostgreSQL Company >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> *http://www.linkedin.com/in/asheshvashi* >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> I don't believe SECURITY_KEY and CSRF_SESSION_KEY are issues >>>>>>>>>>>> either, as they're used for purposes that are essentially ephemeral, and >>>>>>>>>>>> thus can be changed during an upgrade. >>>>>>>>>>>> >>>>>>>>>>>> Adding Magnus as I'd appreciate any thoughts he may have. >>>>>>>>>>>> >>>>>>>>>>>> Patch attached - please review (Ashesh, but others too would be >>>>>>>>>>>> appreciated)! >>>>>>>>>>>> >>>>>>>>>>>> Thanks. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Dave Page >>>>>>>>>>>> Blog: http://pgsnake.blogspot.com >>>>>>>>>>>> Twitter: @pgsnake >>>>>>>>>>>> >>>>>>>>>>>> EnterpriseDB UK: http://www.enterprisedb.com >>>>>>>>>>>> The Enterprise PostgreSQL Company >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Dave Page >>>>>>>>>> Blog: http://pgsnake.blogspot.com >>>>>>>>>> Twitter: @pgsnake >>>>>>>>>> >>>>>>>>>> EnterpriseDB UK: http://www.enterprisedb.com >>>>>>>>>> The Enterprise PostgreSQL Company >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Syed Fahar Abbas >>>>>>>>> Quality Management Group >>>>>>>>> >>>>>>>>> EnterpriseDB Corporation >>>>>>>>> Phone Office: +92-51-835-8874 >>>>>>>>> Phone Direct: +92-51-8466803 >>>>>>>>> Mobile: +92-333-5409707 >>>>>>>>> Skype ID: syed.fahar.abbas >>>>>>>>> Website: www.enterprisedb.com >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Syed Fahar Abbas >>>>>>>> Quality Management Group >>>>>>>> >>>>>>>> EnterpriseDB Corporation >>>>>>>> Phone Office: +92-51-835-8874 >>>>>>>> Phone Direct: +92-51-8466803 >>>>>>>> Mobile: +92-333-5409707 >>>>>>>> Skype ID: syed.fahar.abbas >>>>>>>> Website: www.enterprisedb.com >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Syed Fahar Abbas >>>>>>> Quality Management Group >>>>>>> >>>>>>> EnterpriseDB Corporation >>>>>>> Phone Office: +92-51-835-8874 >>>>>>> Phone Direct: +92-51-8466803 >>>>>>> Mobile: +92-333-5409707 >>>>>>> Skype ID: syed.fahar.abbas >>>>>>> Website: www.enterprisedb.com >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Dave Page >>>>> Blog: http://pgsnake.blogspot.com >>>>> Twitter: @pgsnake >>>>> >>>>> EnterpriseDB UK: http://www.enterprisedb.com >>>>> The Enterprise PostgreSQL Company >>>>> >>>> >>>> >>>> >>>> -- >>>> Syed Fahar Abbas >>>> Quality Management Group >>>> >>>> EnterpriseDB Corporation >>>> Phone Office: +92-51-835-8874 >>>> Phone Direct: +92-51-8466803 >>>> Mobile: +92-333-5409707 >>>> Skype ID: syed.fahar.abbas >>>> Website: www.enterprisedb.com >>>> >>> >>> >> >> >> -- >> Syed Fahar Abbas >> Quality Management Group >> >> EnterpriseDB Corporation >> Phone Office: +92-51-835-8874 >> Phone Direct: +92-51-8466803 >> Mobile: +92-333-5409707 >> Skype ID: syed.fahar.abbas >> Website: www.enterprisedb.com >> > > -- Syed Fahar Abbas Quality Management Group EnterpriseDB Corporation Phone Office: +92-51-835-8874 Phone Direct: +92-51-8466803 Mobile: +92-333-5409707 Skype ID: syed.fahar.abbas Website: www.enterprisedb.com --001a113eb1fc429f7b053f462dc3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I tried different variations and when launch pgAdmin4= with web browser still exception displayed when user deleted .pgadmin fold= er

Here is the output:
------------------------
pyt= hon pgAdmin4.py
Starting pgAdmin 4. Please navigate to http://localhost:5050 in your browser.
Exception i= n thread Thread-1:
Traceback (most recent call last):
=C2=A0 File &qu= ot;/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
= =C2=A0=C2=A0=C2=A0 self.run()
=C2=A0 File "/usr/lib/python3.5/threa= ding.py", line 862, in run
=C2=A0=C2=A0=C2=A0 self._target(*self._a= rgs, **self._kwargs)
=C2=A0 File "/usr/lib/python3.5/socketserver.p= y", line 628, in process_request_thread
=C2=A0=C2=A0=C2=A0 self.han= dle_error(request, client_address)
=C2=A0 File "/usr/lib/python3.5/= socketserver.py", line 625, in process_request_thread
=C2=A0=C2=A0= =C2=A0 self.finish_request(request, client_address)
=C2=A0 File "/u= sr/lib/python3.5/socketserver.py", line 354, in finish_request
=C2= =A0=C2=A0=C2=A0 self.RequestHandlerClass(request, client_address, self)
= =C2=A0 File "/usr/lib/python3.5/socketserver.py", line 681, in __= init__
=C2=A0=C2=A0=C2=A0 self.handle()
=C2=A0 File "/home/fahar= /venv/lib/python3.5/site-packages/werkzeug/serving.py", line 200, in h= andle
=C2=A0=C2=A0=C2=A0 rv =3D BaseHTTPRequestHandler.handle(self)
= =C2=A0 File "/usr/lib/python3.5/http/server.py", line 415, in han= dle
=C2=A0=C2=A0=C2=A0 self.handle_one_request()
=C2=A0 File "/h= ome/fahar/venv/lib/python3.5/site-packages/werkzeug/serving.py", line = 235, in handle_one_request
=C2=A0=C2=A0=C2=A0 return self.run_wsgi()
= =C2=A0 File "/home/fahar/venv/lib/python3.5/site-packages/werkzeug/ser= ving.py", line 177, in run_wsgi
=C2=A0=C2=A0=C2=A0 execute(self.ser= ver.app)
=C2=A0 File "/home/fahar/venv/lib/python3.5/site-packages/= werkzeug/serving.py", line 165, in execute
=C2=A0=C2=A0=C2=A0 appli= cation_iter =3D app(environ, start_response)
=C2=A0 File "/home/fah= ar/venv/lib/python3.5/site-packages/flask/app.py", line 2000, in __cal= l__
=C2=A0=C2=A0=C2=A0 return self.wsgi_app(environ, start_response)
= =C2=A0 File "/home/fahar/venv/lib/python3.5/site-packages/flask/app.py= ", line 1991, in wsgi_app
=C2=A0=C2=A0=C2=A0 response =3D self.make= _response(self.handle_exception(e))
=C2=A0 File "/home/fahar/venv/l= ib/python3.5/site-packages/flask/app.py", line 1567, in handle_excepti= on
=C2=A0=C2=A0=C2=A0 reraise(exc_type, exc_value, tb)
=C2=A0 File &q= uot;/home/fahar/venv/lib/python3.5/site-packages/flask/_compat.py", li= ne 33, in reraise
=C2=A0=C2=A0=C2=A0 raise value
=C2=A0 File "/h= ome/fahar/venv/lib/python3.5/site-packages/flask/app.py", line 1988, i= n wsgi_app
=C2=A0=C2=A0=C2=A0 response =3D self.full_dispatch_request()<= br>=C2=A0 File "/home/fahar/venv/lib/python3.5/site-packages/flask/app= .py", line 1643, in full_dispatch_request
=C2=A0=C2=A0=C2=A0 respon= se =3D self.process_response(response)
=C2=A0 File "/home/fahar/ven= v/lib/python3.5/site-packages/flask/app.py", line 1864, in process_res= ponse
=C2=A0=C2=A0=C2=A0 self.save_session(ctx.session, response)
=C2= =A0 File "/home/fahar/venv/lib/python3.5/site-packages/flask/app.py&qu= ot;, line 926, in save_session
=C2=A0=C2=A0=C2=A0 return self.session_in= terface.save_session(self, session, response)
=C2=A0 File "/home/fa= har/Projects/pgadmin4/web/pgadmin/utils/session.py", line 267, in save= _session
=C2=A0=C2=A0=C2=A0 self.manager.put(session)
=C2=A0 File &qu= ot;/home/fahar/Projects/pgadmin4/web/pgadmin/utils/session.py", line 1= 44, in put
=C2=A0=C2=A0=C2=A0 self.parent.put(session)
=C2=A0 File &q= uot;/home/fahar/Projects/pgadmin4/web/pgadmin/utils/session.py", line = 214, in put
=C2=A0=C2=A0=C2=A0 session.sign(self.secret)
=C2=A0 File = "/home/fahar/Projects/pgadmin4/web/pgadmin/utils/session.py", lin= e 71, in sign
=C2=A0=C2=A0=C2=A0 self.hmac_digest =3D _calc_hmac('%s= :%s' % (self.sid, self.randval), secret)
=C2=A0 File "/home/fah= ar/Projects/pgadmin4/web/pgadmin/utils/session.py", line 44, in _calc_= hmac
=C2=A0=C2=A0=C2=A0 secret.encode(), body.encode(), hashlib.sha1
= AttributeError: 'bytes' object has no attribute 'encode'

= On Thu, Oct 20, 2016 at 11:00 AM, Murtuza Zabuawala <<= a href=3D"mailto:murtuza.zabuawala@enterprisedb.com" target=3D"_blank">murt= uza.zabuawala@enterprisedb.com> wrote:
Could you delete 'keys' table from p= gadmin4.db file & try again?=C2=A0

-= -
Regards,
Murtuza Zabuawala<= br style=3D"color:rgb(136,136,136)">= EnterpriseDB:=C2=A0http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On Thu, Oct 20= , 2016 at 11:26 AM, Fahar Abbas <fahar.abbas@enterprisedb.com> wrote:
Murtaza,

I have applied this patch and there is no success o= n new pgAdmin4 setup as well as existing pgAdmin4 setup.

On Thu, Oct 20, 2016 at 10= :45 AM, Murtuza Zabuawala <murtuza.zabuawala@enterprised<= wbr>b.com> wrote:
Hi,

PFA patch to fix the issue for Pyhton3.
RM#1849

--
Regards,
Murtuza Zabuawala
EnterpriseDB:=C2=A0http://ww= w.enterprisedb.com
The Enterprise PostgreSQL Company=

On Thu, Oct 20, 2016 at 11:03 AM, Fahar Abba= s <fahar.abbas@enterprisedb.com> wrote:
Hi Dave,

I have reopened f= ollowing RM:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
https://redmine.postgresql.or= g/issues/1849

On Wed, Oct 19, 2016 at 6:04 PM, Dave Page <dpage@pgadmin= .org> wrote:
Patch applied.

On Wed, Oct= 19, 2016 at 11:55 AM, Ashesh Vashi <ashesh.vashi@enterprisedb= .com> wrote:
Hi Fahar,

Please log the case on redmine.=
Please find the attached patch, please apply it locally, and test it.<= /div>

And, please update the case, and this mail chain a= ccordingly.

<= div>

--

Thanks & Regards,=

Ashesh Vashi
EnterpriseDB INDIA: <= a href=3D"http://www.enterprisedb.com" target=3D"_blank">Enterprise Postgre= SQL Company

<= br>

<= a href=3D"http://www.linkedin.com/in/asheshvashi" target=3D"_blank">http= ://www.linkedin.com/in/asheshvashi


On Wed, Oct 19, 2016 at 3:47 PM, Fahar Abbas <= fahar.abbas@enterprisedb.com> wrote:
Here is the output of if we copy config_loc= al.py and execute python setup.py
pgAdmin 4 - Application Initiali= sation
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D


The con= figuration database - '/home/fahar/.pgadmin/pgadmin4.db' does = not exist.
Entering initial setup mode...
NOTE: Configuring authentic= ation for SERVER mode.


=C2=A0=C2=A0=C2=A0 Enter the email addres= s and password to use for the initial pgAdmin user=C2=A0=C2=A0=C2=A0=C2=A0 = account:

Email address: fahar.abbas@enterprisedb.com
Password:
Ret= ype password:
Traceback (most recent call last):
=C2=A0 File "se= tup.py", line 449, in <module>
=C2=A0=C2=A0=C2=A0 do_setup(ap= p)
=C2=A0 File "setup.py", line 96, in do_setup
=C2=A0=C2= =A0=C2=A0 password =3D encrypt_password(p1)
=C2=A0 File "/home/faha= r/venv/lib/python3.5/site-packages/flask_security/utils.py",= line 150, in encrypt_password
=C2=A0=C2=A0=C2=A0 signed =3D get_hmac(pa= ssword).decode('ascii')
=C2=A0 File "/home/fahar/venv/= lib/python3.5/site-packages/flask_security/utils.py", line 1= 08, in get_hmac
=C2=A0=C2=A0=C2=A0 'set to "%s"' % _se= curity.password_hash)
RuntimeError: The configuration value `SECURITY_PA= SSWORD_SALT` must not be None when the value of `SECURITY_PASSWORD_HASH` is= set to "pbkdf2_sha512"
python setup.py
pgAdmin 4 - Applica= tion Initialisation
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
User can not do any setup for web based now.

The configuration database - '/home/fahar/.pgadmin/pgadmin4.= db' does not exist.
Entering initial setup mode...
NOTE: Configur= ing authentication for SERVER mode.


=C2=A0=C2=A0=C2=A0 Enter the= email address and password to use for the initial pgAdmin user=C2=A0=C2=A0= =C2=A0=C2=A0 account:

Email address: fahar.abbas@enterprisedb.com
Pass= word:
Retype password:
Traceback (most recent call last):
=C2=A0 = File "setup.py", line 449, in <module>
=C2=A0=C2=A0=C2= =A0 do_setup(app)
=C2=A0 File "setup.py", line 96, in do_setup=
=C2=A0=C2=A0=C2=A0 password =3D encrypt_password(p1)
=C2=A0 File &qu= ot;/home/fahar/venv/lib/python3.5/site-packages/flask_security/ut= ils.py", line 150, in encrypt_password
=C2=A0=C2=A0=C2=A0 signed = =3D get_hmac(password).decode('ascii')
=C2=A0 File "/h= ome/fahar/venv/lib/python3.5/site-packages/flask_security/utils.p= y", line 108, in get_hmac
=C2=A0=C2=A0=C2=A0 'set to "%s&q= uot;' % _security.password_hash)
RuntimeError: The configuration val= ue `SECURITY_PASSWORD_SALT` must not be None when the value of `SECURITY_PA= SSWORD_HASH` is set to "pbkdf2_sha512"

On Wed, Oct 19, 2016 at 3:0= 3 PM, Fahar Abbas <fahar.abbas@enterprisedb.com> = wrote:
Dave,

Testing Environment
=C2=A0
Ubuntu 16.04 = Linux 64:
--------------------------------

pg-AdminIV Development Environment Setup for Ubuntu=C2=A0 :


1) Install GIT

sudo apt-get install git

2) Install pip3

sudo apt-get install python3-pip

3) Install vir= tualenv

sudo= pip3 install virtualenv

4) install below dependency as it is required for psycopg2 &am= p; pycrypto module

sudo apt-get install libpq-dev

sudo apt-get install python3-dev

5) Create virtual environme= nt

virtualen= v -p python3 venv

6) Cre= ate mkdir Projects

7) Clone git repo in Projects

git clone http://git.postgresql.org/git/pgadmin4.git

8) activate virt= ual environment

source venv/bin/activate

9) Install modules

pip3 install -r requirements_py3.txt

10) Edit the config.py file to config_local.py =C2=A0resides in Pro= jects\pgAdmin4\web=C2=A0=C2=A0

11)Now ru= n setup.py= file =C2=A0(\Projects\p= gAdmin4\web)


If user d= oes not create config_local.py and do Python setup.py for new Development t= hen SECURITY_PASSWORD_SALT message is also displayed:


python setu= p.py
pgAdmin 4 - Application Initialisation
=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D


The configuration database - '/home/fa= har/.pgadmin/pgadmin4.db' does not exist.
Entering initial setu= p mode...
NOTE: Configuring authentication for SERVER mode.


= =C2=A0=C2=A0=C2=A0 Enter the email address and password to use for the init= ial pgAdmin user=C2=A0=C2=A0=C2=A0=C2=A0 account:

Email address: fahar.abbas@= enterprisedb.com
Password:
Retype password:
Traceback (most r= ecent call last):
=C2=A0 File "setup.py", line 449, in <mod= ule>
=C2=A0=C2=A0=C2=A0 do_setup(app)
=C2=A0 File "setup.py&q= uot;, line 96, in do_setup
=C2=A0=C2=A0=C2=A0 password =3D encrypt_passw= ord(p1)
=C2=A0 File "/home/fahar/venv/lib/python3.5/site-packa= ges/flask_security/utils.py", line 150, in encrypt_password
= =C2=A0=C2=A0=C2=A0 signed =3D get_hmac(password).decode('ascii'= ;)
=C2=A0 File "/home/fahar/venv/lib/python3.5/site-packages/f= lask_security/utils.py", line 108, in get_hmac
=C2=A0=C2=A0=C2= =A0 'set to "%s"' % _security.password_hash)
RuntimeEr= ror: The configuration value `SECURITY_PASSWORD_SALT` must not be None when= the value of `SECURITY_PASSWORD_HASH` is set to "pbkdf2_sha512"<= br>(venv) fahar@fahar-virtual-machine:~/Projects/pgadmin4/web$

Is t= his expected?

On Wed, Oct 19, 2016 at 1:37 PM, Fahar Abbas <fahar.abbas@enterprisedb.com> wrote:
Sure,

Will te= st this thoroughly after complete investigation.

Kind Regards,=

On Wed, Oct 19, 2016 at 1:27 PM, Dave P= age <dpage@pgadmin.org> wrote:
Patch applied.

Fahar, can you plea= se test this thoroughly in desktop and server modes, with both fresh and up= graded installations?


Packagers: This change means= that packages are no longer forced to create a config_local.py file, and t= here is no longer any need to explicitly set=C2=A0SECURITY_PASSWORD_SALT,=C2=A0SECURITY_KEY and=C2=A0CSRF_SESSION_KEY in the config (in fact, they = should be removed for new installations, if you have included them in 1.0)<= /span>

Thanks.


On Wed, Oct 19, 2016 at 6:46 AM, Ashesh Vashi <ashesh.vashi@enterprisedb.com> wrote:
Hi Dave,

On= Sat, Oct 15, 2016 at 8:02 AM, Dave Page <dpage@pgadmin.org>= wrote:
Hi


On Friday, October 14, 2016, Dave P= age <dpage@pgadmi= n.org> wrote:
H= i

On Thursday, October 13, 2016, Ashesh Vashi <ashesh.vashi@en= terprisedb.com> wrote:
Hi Dave,

On Tue, Oct 11, 2016 at 9:10 PM, Dave Page = <dpage@pgadmin.org> wrote:
Hi Ashesh,

Ca= n you please review the attached patch, and apply if you're happy with = it?
Overall the patch looked good to me.
B= ut - I encounter an issue in 'web' mode, which wont happen with = 9;runtime'.

Steps for reproduction on existing= pgAdmin 4 environment with 'web' mode.
- Apply the patch=
- Start the pgAdmin4 application (stand alone application).
- Open pgAdmin home page.
- Log out (if already login).

And, you will see an exception.

<= div>I have figure out the issue with the patch.
We were setting t= he SECURITY_PASSWORD_SALT, after initializing the Security object.
Hence - it could not set the SECURITY_KEY, and SECURITY_PASSWORD_SALT pro= perly.

Hmm.
=C2=A0

I had moved the Security object initialization after fetching these= configurations from the database.
I have attached a addon patch = for the same.

OK, t= hanks.
=C2=A0
=

Now - I run into another issue.
Because - the= existing password was hashed using the old SECURITY_PASSWORD_SALT, I am no= more able to login to pgAdmin 4.

I think - we nee= d to think about different strategy for upgrading the configuration file in= the 'web' mode.
I was thinking - we can store the existi= ng security configurations in the database during upgrade process in 'w= eb' mode.

My co= ncern with that is that we'll likely be storing the default config valu= es in many cases, thus for those users, perpetuating the problem.

I guess what we need to do is re-encrypt the password durin= g the upgrade - however, that makes me think; we then have both the key and= the encrypted passwords in the same database which is clearly not a good i= dea. Sigh... Needs more thought.=C2=A0

OK, so I've been thinking about this and experimenting fo= r a couple of hours, as well as annoying the crap out of Magnus by thinking= out loud in his general direction, and it looks like this isn't a majo= r problem as from what I can see, =C2=A0SECURITY_PASSWORD_SALT is (aside fr= om really being a key not a salt) not the only salting that's done.=C2= =A0

It looks like it's used system-wide as the= key to generate an HMAC of the users password, which is then passed to pas= slib which salts and hashes it. I did some testing, and found that two user= s with the same password end up with different hashes in the database, so c= learly there is also per-user salting happening. I also created two users, = then dropped the database and created the same user accounts with the same = passwords again, and found that the resulting hashes were different in both= databases - thus there is something else ensuring the hashes are unique ac= ross different installations/databases.

So, I beli= eve we can do as you suggest and migrate existing values for SECURITY_PASSW= ORD_SALT, given that there's clearly some other per user and per instal= lation/database salting going on anyway. New installations can have the ran= dom value for SECURITY_PASSWORD_SALT.
We= do not need to generate the random SECURITY_PASSWORD_SALT during upgrade m= ode, which was wrong added in my addon patch.

Plea= se find the updated patch.

Otherwise - looks good = to me.
Please commit the new patch (if you're ok with the cha= nge).


--

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA:=C2=A0Enterprise PostgreSQL C= ompany


http://www.linkedin.com/in/asheshvashi=C2=A0=C2=A0

I don't believe SECURITY_KEY and=C2=A0CSRF_SESSION_KEY are issu= es either, as they're used for purposes that are essentially ephemeral,= and thus can be changed during an upgrade.

Adding= Magnus as I'd appreciate any thoughts he may have.

Patch attached - please review (Ashesh, but others too would be appre= ciated)!

Thanks.


--
Dave P= age
Blog: http= ://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterpri= sedb.com
The Enterprise PostgreSQL Company





--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

Ent= erpriseDB UK: htt= p://www.enterprisedb.com
The Enterprise PostgreSQL Company



--
Syed Fahar Abbas
Quality = Management Group

EnterpriseDB Corporation
Phone Office: += 92-51-835-8874
Phone Direct: +92-51-8466803
Mobile: +92-333-54097= 07
Skype ID: syed.fahar.abbas
Website: www.enterprisedb.com



--
Syed Fahar Abbas
Quality Management Group

EnterpriseDB Corporation
Phone Office: +92-51-835-8874
Phone Dire= ct: +92-51-8466803
Mobile: +92-333-5409707
Skype ID: syed.fah= ar.abbas
Website: www.enterprisedb.com



--
Syed Fahar = Abbas
Quality Management Group

EnterpriseDB Corp= oration
Phone Office: +92-51-835-8874
Phone Direct: +92-51-8466803=
Mobile: +92-333-5409707
Skype ID: syed.fahar.abbas
Website: = www.enterprisedb.= com



=

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterp= rise PostgreSQL Company


--
Syed Fahar Abbas
Quality Management Group

EnterpriseDB Corporation
P= hone Office: +92-51-835-8874
Phone Direct: +92-51-8466803
Mobile: = +92-333-5409707
Skype ID: syed.fahar.abbas
Website: www.enterprisedb.com
<= /div>


--
Syed Fahar Abbas
Qualit= y Management Group

EnterpriseDB Corporation
Phone Office: += 92-51-835-8874
Phone Direct: +92-51-8466803
Mobile: +92-333-54097= 07
Skype ID: syed.fahar.abbas
Website: www.enterprisedb.com



--
Syed Fahar= Abbas
Quality Management Group

EnterpriseDB Cor= poration
Phone Office: +92-51-835-8874
Phone Direct: +92-51-8466803Mobile: +92-333-5409707
Skype ID: syed.fahar.abbas
Website: www.enterprisedb.com=
--001a113eb1fc429f7b053f462dc3--