Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1txNBv-007cgH-Uz for pgadmin-support@arkaria.postgresql.org; Wed, 26 Mar 2025 09:36:55 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1txNBu-000c8h-F0 for pgadmin-support@arkaria.postgresql.org; Wed, 26 Mar 2025 09:36:54 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tx4FE-004UYA-77 for pgadmin-support@lists.postgresql.org; Tue, 25 Mar 2025 13:23:04 +0000 Received: from mail-3.de-punkt.de ([2a00:12c0:1:64::5dbe:40f0]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tx4FB-0015Ew-2i for pgadmin-support@lists.postgresql.org; Tue, 25 Mar 2025 13:23:03 +0000 Received: from localhost (localhost [127.0.0.1]) by mail-3.de-punkt.de (Postfix) with ESMTP id BF7B91F1C3 for ; Tue, 25 Mar 2025 14:22:59 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mail-3.de-punkt.de Received: from mail-3.de-punkt.de ([127.0.0.1]) by localhost (mail-3.de-punkt.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id adTPpGwjaLU1 for ; Tue, 25 Mar 2025 14:22:59 +0100 (CET) Received: from nap.localnet (dynamic-176-006-057-029.176.6.pool.telefonica.de [176.6.57.29]) (Authenticated sender: lutz@badenheuer.net) by mail-3.de-punkt.de (Postfix) with ESMTPSA id 92CA21EA35 for ; Tue, 25 Mar 2025 14:22:59 +0100 (CET) From: Lutz Badenheuer To: pgadmin-support@lists.postgresql.org Subject: Docker setup without password Date: Tue, 25 Mar 2025 14:22:54 +0100 Message-ID: <23879802.6Emhk5qWAg@nap> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2649115.Lt9SDvczpP"; micalg="pgp-sha512"; protocol="application/pgp-signature" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --nextPart2649115.Lt9SDvczpP Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii"; protected-headers="v1" From: Lutz Badenheuer To: pgadmin-support@lists.postgresql.org Subject: Docker setup without password Date: Tue, 25 Mar 2025 14:22:54 +0100 Message-ID: <23879802.6Emhk5qWAg@nap> MIME-Version: 1.0 Hello everybody, I'd like to deploy PgAdmin4 with Ansible to a Docker Swarm cluster without any authentication and authorization, as it will not be exposed to the public. Only internal SSH users will be able to access the SSH tunnel endpoint, a unix domain socket. These users are already authenticated with their SSH public key and a second factor, and each of them is an experienced, trusted user. Unfortunately, PgAdmin4 makes it very hard for me to accomplish this, or maybe I didn't find or understand the relevant documentation. I have already managed to automatically login into PgAdmin4 by forcing it into desktop mode, but when I try to open a database in the menu on the left side, PgAdmin4 keeps asking for a password -- which has already been supplied with a PGPASS_FILE. Please, don't get me wrong: I highly appreciate when developers try to develop their software as secure as possible, thus protecting unexperienced users from insecure setups. And to be honest, I'm also not happy with having to force the software into desktop mode just to circumvent having to log into PgAdmin4. But then, having to spread passwords and add documentation to our projects just so my users can access that database doesn't make me happy either. What I have already accomplished and tried so far: - force PgAdmin4 into desktop mode (PGADMIN_CONFIG_SERVER_MODE: "False"), thus omitting the need to login into PgAdmin4 - adding a PGPASS_FILE (with and without leading dots) with Docker configs to - /var/lib/pgadmin/pgpass - /var/lib/pgadmin/pgpass/storage/sw_lukenukem.de/pgpass - setting the correct password in servers.json with the settings - Password - PassFile At the moment, the service configuration in my docker-compose.yml looks like so (and no, please rest assured that s3cR3t is not the real password ;-): --snip----- pgadmin: image: dpage/pgadmin4:latest environment: PGADMIN_DEFAULT_EMAIL: "sw@lukenukem.de" PGADMIN_DEFAULT_PASSWORD: "s3cR3t" PGADMIN_LISTEN_ADDRESS: "0.0.0.0" PGADMIN_DISABLE_POSTFIX: "True" PGADMIN_CONFIG_SERVER_MODE: "False" PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED: "False" PGPASS_FILE: "/var/lib/pgadmin/pgpass" configs: - source: servers_json target: /pgadmin4/servers.json - source: pgpass target: /var/lib/pgadmin/pgpass uid: "5050" gid: "0" mode: 0600 - source: pgpass target: /var/lib/pgadmin/storage/sw_lukenukem.de/pgpass uid: "5050" gid: "0" mode: 0600 --snip----- However, after reading the documentation over and over and playing around with several configuration options, I'm at the end of my ideas. Any suggestions and hints are very welcome. If you need more information, please let me know. Thank you in advance and please excuse my bad english, I know I lack training. Best wishes, Lutz --nextPart2649115.Lt9SDvczpP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEjzkf0ZfYyz2PfHzPgz01rhVH9d4FAmfiri4ACgkQgz01rhVH 9d5u0xAApuNq4Yu3aLtbC97PHkjYZAuhl/Mrzhc2yxow9ACQGI9V/G2t8qh74FwN jL74HsNRTqTwjSVeQJ4Sb2vStiJV4Q9+4RogzvShMCRAJMTxIPLV/1LmspCvHlDr MZsDtS0twi4TQkEOYQlK66wpq2WVwB6DvKIp5Z5F6mnloXnDkBt7J2Fvy86k3mNn txtA8Uc0S0m51+0N5rj/uhZp6EZNuR/prHljMxRVGSE+vVz3RZX59Xvz2dLvKSe5 uQrtLO2W5ha3C70XDRjqGe2EMx1CsHi+XbGTFHJ+X3YMGvU2B2iyrw2rrIOTM/MK xhtd4QcROHaMvRF8isl4meSpwj3ZyENCQw6HAsFH8UaT7TwrWNdJ2h1NenJwzRVR KmnZ6LX4Y7j0DpC2UZu40C8T31LFO7mlzJzsIferDOQK7bKzPAmmKefGht3P0jbW zkPJIMwZUYxUNW6utkQYDlQZNvHvuuj0J8Ncjwb5nH8hMGwVAXe2qzmKr2G4e5pR QdHdiOj4ejq2fPq4QFIuepiBDarBbdTn0qYA9UUSyeRjiwk9wn7n5a44H2GZ8N56 838SE+GAgIB9sOrfTFb+WfOSq0Y/fv3RrylGPCxomMFEQONhUOr+slY/AKz0G1+g 0VIaSwh/aGHVhw+ludV9ajvQ4hKIzNvSLhyU5jvn7TwGYLJYiWs= =FnP+ -----END PGP SIGNATURE----- --nextPart2649115.Lt9SDvczpP--