Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ndpHJ-0001cj-38 for pgadmin-hackers@arkaria.postgresql.org; Mon, 11 Apr 2022 08:20:05 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1ndpHH-0001s5-W2 for pgadmin-hackers@arkaria.postgresql.org; Mon, 11 Apr 2022 08:20:03 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ndpHH-0001rs-Pb for pgadmin-hackers@lists.postgresql.org; Mon, 11 Apr 2022 08:20:03 +0000 Received: from mail-il1-x131.google.com ([2607:f8b0:4864:20::131]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1ndpHF-0007uO-AO for pgadmin-hackers@postgresql.org; Mon, 11 Apr 2022 08:20:02 +0000 Received: by mail-il1-x131.google.com with SMTP id t4so10862229ilo.12 for ; Mon, 11 Apr 2022 01:20:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jpsb53psPKBykN8VEsjTlh8ZIlUZaEwCO/Efk6gZWDc=; b=A2O/T459/KkW8KpsvC6phehZHf4MTsIjseRBQCrHQAy8b5UthIahzEObLDCZ/G4EKV OjQoqcXnrom3W+tY9JZhMZE7Gspqj3eKW6UY0Zf4LiGM4a1V0mCq5nfT4VwajOOIowLP dO7NwlFMrLtkFQf8ul6rO4wejRlEK8c3S7cy+QZsY2rvqeXkNxBB3qdog565q2rMliX0 PQS2fOyMPMLH30+Pd68HgjNK94EzvEbhnWjZ3OnuxbjVfbkO+R9Fky6kSg496jKjZKPh j3f9a83CzQxOo39myqkvXSw++y4WgldNRbR5XavrAp7AFjUMahM8CIGd/pbUyiiI3SNa OXWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jpsb53psPKBykN8VEsjTlh8ZIlUZaEwCO/Efk6gZWDc=; b=KGU/lHoHJ8yfImlqjihGavSBIkH8RQNdZxSkmXsZSg3J6ybkX3nyCJb+c61mGC3foz k/ubHL0pTN5WPnEW8EeGYb4M3b+IvfrHG2ohHRjXKz00l2pHPPoZmnaYOtnDxkkEhZgd Eaivs5Wpi8ZacrcapL6c8M8W+MMwftmRqTWV1sDQDEgGAuSjjKODzP4Fvn71eghRjtW1 h2Rk2IhUa00IXapZwWFvePrHjIQ3/O5vZO+jYEKayRUJpT2hs98ko4V99PfMaDSUsTn/ LjJo1Bu07FE1tKX1O+42vvD0u23M1CL5Ny/wPnEsY3SG6RhPhrfAVwZOd05VMk1UPoWM mHIg== X-Gm-Message-State: AOAM532FvIOVK8SlmW8wWKPjB19LxleoMRvliIKTg1fweEEDjIRlxZ65 SQDnEYuCDet7BxGpks1unF4LUBxibAZ3CrKZySqN23MxOINue5O8zd4yxc85R6h27sluRHr6FsI lERYvxGPKk169UWGSA1CjU3r3zQv6CS26aP5gmA619W4Z7DMzxHxGVaME8Ioi0BtJ3j4qQlsU4A LOPTChSzgg3LY0DvLiKgifD7fkiEmm/jGcK7XXdwuO8YoHwI/p9S1u3gaTNrIRN9T4cA== X-Google-Smtp-Source: ABdhPJwBLl8lPSjpWXOykbAtY3J4EEsAghlCFb23bPqDaDQvrVbIlZfivJb0Bv+NJNnCXkhbFrXMa1hy+nWOb9D4h9g= X-Received: by 2002:a05:6e02:2146:b0:2c9:b938:2ca8 with SMTP id d6-20020a056e02214600b002c9b9382ca8mr12603251ilv.205.1649665200476; Mon, 11 Apr 2022 01:20:00 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Akshay Joshi Date: Mon, 11 Apr 2022 13:49:49 +0530 Message-ID: Subject: Re: [pgAdmin4][Patch]- Feature #7012 - disable master password requirement when using alternative auth source To: Khushboo Vashi Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="00000000000045ec0905dc5c9c66" X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000045ec0905dc5c9c66 Content-Type: text/plain; charset="UTF-8" Thanks, the patch applied. On Mon, Apr 11, 2022 at 12:00 PM Khushboo Vashi < khushboo.vashi@enterprisedb.com> wrote: > Hi, > > Please find the attached patch to implement the feature #7012 - Disable > master password requirement when using alternative auth source > > When pgAdmin stores a connection password, it encrypts it using a key that > is formed either from the master password, or from the pgAdmin login > password for the user. In the case of auth methods such as OAuth, Kerberos > or Webserver, pgAdmin doesn't have access to anything long-lived to form > the encryption key from, hence it uses the master password. And if the > master is disabled, there is no way to store the connection password. > > To resolve this, we have added an option to config.py (which defaults to > None) for an alternate encryption key. pgAdmin would use this if a) the > master password is disabled AND b) there is no suitable key/password > available from the auth module for the user. If the option is set to > None, pgAdmin works as it does now. > > Thanks, > Khushboo > -- *Thanks & Regards* *Akshay Joshi* *pgAdmin Hacker | Principal Software Architect* *EDB Postgres * *Mobile: +91 976-788-8246* --00000000000045ec0905dc5c9c66 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks, the patch applied.

On Mon, Apr 11, 2022= at 12:00 PM Khushboo Vashi <khushboo.vashi@enterprisedb.com> wrote:
Hi,

Please find the attached patch to implement the = feature #7012 - Disable master password requirement when using alternative = auth source

When pgAdmin stores a connection password, it encrypts it using a= key that is formed either from the master password, or from the pgAdmin lo= gin password for the user. In the case of auth methods such as OAuth, Kerbe= ros or Webserver, pgAdmin doesn't have access to anything long-lived to= form the encryption key from, hence it uses the master password. And if th= e master is disabled, there is no way to store the connection password.

To resolve t= his, we have added an option to config.py (which defaults to None) for an a= lternate encryption key. pgAdmin would use this if a) the master password i= s disabled AND b) there is no suitable key/password available from the auth= module for the user.=C2=A0If the option is set to None, pgAdmin works as it do= es now.=C2=A0


Thanks,
Khushboo


--
Thanks & Regards
Akshay Joshi
pgAdmi= n Hacker | Principal Software Architect
EDB Postgres
Mobile: +91 976-788-8246

--00000000000045ec0905dc5c9c66--