MIME-Version: 1.0
References: <23879802.6Emhk5qWAg@nap>
In-Reply-To: <23879802.6Emhk5qWAg@nap>
From: Aditya Toshniwal <aditya.toshniwal@enterprisedb.com>
Date: Wed, 26 Mar 2025 15:35:30 +0530
Message-ID: 
 <CAM9w-_nSKtA9ALb3cmGF0YX03uVEZBEScd5vmM=0-MzoG0+-1w@mail.gmail.com>
Subject: Re: Docker setup without password
To: Lutz Badenheuer <luke@lukenukem.de>
Cc: pgadmin-support@lists.postgresql.org
Content-Type: multipart/alternative; boundary="00000000000055871406313bfc21"
Archived-At: 
 <https://www.postgresql.org/message-id/CAM9w-_nSKtA9ALb3cmGF0YX03uVEZBEScd5vmM%3D0-MzoG0%2B-1w%40mail.gmail.com>
Precedence: bulk

--00000000000055871406313bfc21
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Lutz,

Did you try removing pgpass from configs? PGPASS_FILE should be enough.

On Wed, Mar 26, 2025 at 3:05=E2=80=AFPM Lutz Badenheuer <luke@lukenukem.de>=
 wrote:

> Hello everybody,
>
> I'd like to deploy PgAdmin4 with Ansible to a Docker Swarm cluster withou=
t
> any
> authentication and authorization, as it will not be exposed to the public=
.
>
> Only internal SSH users will be able to access the SSH tunnel endpoint, a
> unix
> domain socket. These users are already authenticated with their SSH publi=
c
> key
> and a second factor, and each of them is an experienced, trusted user.
>
> Unfortunately, PgAdmin4 makes it very hard for me to accomplish this, or
> maybe
> I didn't find or understand the relevant documentation. I have already
> managed
> to automatically login into PgAdmin4 by forcing it into desktop mode, but
> when
> I try to open a database in the menu on the left side, PgAdmin4 keeps
> asking
> for a password -- which has already been supplied with a PGPASS_FILE.
>
> Please, don't get me wrong: I highly appreciate when developers try to
> develop
> their software as secure as possible, thus protecting unexperienced users
> from
> insecure setups. And to be honest, I'm also not happy with having to forc=
e
> the
> software into desktop mode just to circumvent having to log into PgAdmin4=
.
> But
> then, having to spread passwords and add documentation to our projects
> just so
> my users can access that database doesn't make me happy either.
>
> What I have already accomplished and tried so far:
>
> - force PgAdmin4 into desktop mode (PGADMIN_CONFIG_SERVER_MODE: "False"),
> thus
>   omitting the need to login into PgAdmin4
> - adding a PGPASS_FILE (with and without leading dots) with Docker config=
s
> to
>   - /var/lib/pgadmin/pgpass
>   - /var/lib/pgadmin/pgpass/storage/sw_lukenukem.de/pgpass
> - setting the correct password in servers.json with the settings
>   - Password
>   - PassFile
>
> At the moment, the service configuration in my docker-compose.yml looks
> like
> so (and no, please rest assured that s3cR3t is not the real password ;-):
>
> --snip-----
> pgadmin:
>   image: dpage/pgadmin4:latest
>   environment:
>     PGADMIN_DEFAULT_EMAIL: "sw@lukenukem.de"
>     PGADMIN_DEFAULT_PASSWORD: "s3cR3t"
>     PGADMIN_LISTEN_ADDRESS: "0.0.0.0"
>     PGADMIN_DISABLE_POSTFIX: "True"
>     PGADMIN_CONFIG_SERVER_MODE: "False"
>     PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED: "False"
>     PGPASS_FILE: "/var/lib/pgadmin/pgpass"
>   configs:
>     - source: servers_json
>       target: /pgadmin4/servers.json
>     - source: pgpass
>       target: /var/lib/pgadmin/pgpass
>       uid: "5050"
>       gid: "0"
>       mode: 0600
>     - source: pgpass
>       target: /var/lib/pgadmin/storage/sw_lukenukem.de/pgpass
>       uid: "5050"
>       gid: "0"
>       mode: 0600
> --snip-----
>
> However, after reading the documentation over and over and playing around
> with
> several configuration options, I'm at the end of my ideas. Any suggestion=
s
> and
> hints are very welcome. If you need more information, please let me know.
>
> Thank you in advance and please excuse my bad english, I know I lack
> training.
>
> Best wishes,
> Lutz
>


--=20
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com*
<https://www.enterprisedb.com/>
"Don't Complain about Heat, Plant a TREE"

--00000000000055871406313bfc21
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:verdana,=
sans-serif">Hi=C2=A0Lutz,</div><div class=3D"gmail_default" style=3D"font-f=
amily:verdana,sans-serif"><br></div><div class=3D"gmail_default" style=3D""=
><font face=3D"verdana, sans-serif">Did you try removing pgpass from config=
s?=C2=A0PGPASS_FILE should be enough.</font></div></div><br><div class=3D"g=
mail_quote gmail_quote_container"><div dir=3D"ltr" class=3D"gmail_attr">On =
Wed, Mar 26, 2025 at 3:05=E2=80=AFPM Lutz Badenheuer &lt;<a href=3D"mailto:=
luke@lukenukem.de">luke@lukenukem.de</a>&gt; wrote:<br></div><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid=
 rgb(204,204,204);padding-left:1ex">Hello everybody, <br>
<br>
I&#39;d like to deploy PgAdmin4 with Ansible to a Docker Swarm cluster with=
out any=C2=A0 <br>
authentication and authorization, as it will not be exposed to the public. =
<br>
<br>
Only internal SSH users will be able to access the SSH tunnel endpoint, a u=
nix <br>
domain socket. These users are already authenticated with their SSH public =
key <br>
and a second factor, and each of them is an experienced, trusted user. <br>
<br>
Unfortunately, PgAdmin4 makes it very hard for me to accomplish this, or ma=
ybe <br>
I didn&#39;t find or understand the relevant documentation. I have already =
managed <br>
to automatically login into PgAdmin4 by forcing it into desktop mode, but w=
hen <br>
I try to open a database in the menu on the left side, PgAdmin4 keeps askin=
g <br>
for a password -- which has already been supplied with a PGPASS_FILE. <br>
<br>
Please, don&#39;t get me wrong: I highly appreciate when developers try to =
develop <br>
their software as secure as possible, thus protecting unexperienced users f=
rom <br>
insecure setups. And to be honest, I&#39;m also not happy with having to fo=
rce the <br>
software into desktop mode just to circumvent having to log into PgAdmin4. =
But <br>
then, having to spread passwords and add documentation to our projects just=
 so <br>
my users can access that database doesn&#39;t make me happy either. <br>
<br>
What I have already accomplished and tried so far:<br>
<br>
- force PgAdmin4 into desktop mode (PGADMIN_CONFIG_SERVER_MODE: &quot;False=
&quot;), thus <br>
=C2=A0 omitting the need to login into PgAdmin4<br>
- adding a PGPASS_FILE (with and without leading dots) with Docker configs =
to <br>
=C2=A0 - /var/lib/pgadmin/pgpass<br>
=C2=A0 - /var/lib/pgadmin/pgpass/storage/<a href=3D"http://sw_lukenukem.de/=
pgpass" rel=3D"noreferrer" target=3D"_blank">sw_lukenukem.de/pgpass</a><br>
- setting the correct password in servers.json with the settings<br>
=C2=A0 - Password <br>
=C2=A0 - PassFile<br>
<br>
At the moment, the service configuration in my docker-compose.yml looks lik=
e <br>
so (and no, please rest assured that s3cR3t is not the real password ;-): <=
br>
<br>
--snip-----<br>
pgadmin:<br>
=C2=A0 image: dpage/pgadmin4:latest<br>
=C2=A0 environment:<br>
=C2=A0 =C2=A0 PGADMIN_DEFAULT_EMAIL: &quot;<a href=3D"mailto:sw@lukenukem.d=
e" target=3D"_blank">sw@lukenukem.de</a>&quot;<br>
=C2=A0 =C2=A0 PGADMIN_DEFAULT_PASSWORD: &quot;s3cR3t&quot;<br>
=C2=A0 =C2=A0 PGADMIN_LISTEN_ADDRESS: &quot;0.0.0.0&quot;<br>
=C2=A0 =C2=A0 PGADMIN_DISABLE_POSTFIX: &quot;True&quot;<br>
=C2=A0 =C2=A0 PGADMIN_CONFIG_SERVER_MODE: &quot;False&quot;<br>
=C2=A0 =C2=A0 PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED: &quot;False&quot;<br=
>
=C2=A0 =C2=A0 PGPASS_FILE: &quot;/var/lib/pgadmin/pgpass&quot;<br>
=C2=A0 configs:<br>
=C2=A0 =C2=A0 - source: servers_json<br>
=C2=A0 =C2=A0 =C2=A0 target: /pgadmin4/servers.json<br>
=C2=A0 =C2=A0 - source: pgpass<br>
=C2=A0 =C2=A0 =C2=A0 target: /var/lib/pgadmin/pgpass<br>
=C2=A0 =C2=A0 =C2=A0 uid: &quot;5050&quot;<br>
=C2=A0 =C2=A0 =C2=A0 gid: &quot;0&quot;<br>
=C2=A0 =C2=A0 =C2=A0 mode: 0600<br>
=C2=A0 =C2=A0 - source: pgpass<br>
=C2=A0 =C2=A0 =C2=A0 target: /var/lib/pgadmin/storage/<a href=3D"http://sw_=
lukenukem.de/pgpass" rel=3D"noreferrer" target=3D"_blank">sw_lukenukem.de/p=
gpass</a><br>
=C2=A0 =C2=A0 =C2=A0 uid: &quot;5050&quot;<br>
=C2=A0 =C2=A0 =C2=A0 gid: &quot;0&quot;<br>
=C2=A0 =C2=A0 =C2=A0 mode: 0600<br>
--snip-----<br>
<br>
However, after reading the documentation over and over and playing around w=
ith <br>
several configuration options, I&#39;m at the end of my ideas. Any suggesti=
ons and <br>
hints are very welcome. If you need more information, please let me know. <=
br>
<br>
Thank you in advance and please excuse my bad english, I know I lack traini=
ng. <br>
<br>
Best wishes,<br>
Lutz <br>
</blockquote></div><div><br clear=3D"all"></div><div><br></div><span class=
=3D"gmail_signature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gmail_s=
ignature"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"lt=
r"><div dir=3D"ltr"><div><font size=3D"2" color=3D"#000000" face=3D"arial, =
sans-serif">Thanks,</font><div><span style=3D"color:rgb(34,34,34)"><span st=
yle=3D"color:rgb(18,22,70)"><font face=3D"arial, sans-serif">Aditya Toshniw=
al</font></span></span><font size=3D"2" color=3D"#000000" face=3D"verdana, =
sans-serif"><br></font></div><div><span style=3D"color:rgb(18,22,70);font-f=
amily:Arial,sans-serif">pgAdmin Hacker</span><font size=3D"2" color=3D"#000=
000" style=3D"font-family:verdana,sans-serif">=C2=A0| </font><font size=3D"=
2" color=3D"#000000" face=3D"arial, sans-serif">Sr. Staff SDE II</font><fon=
t size=3D"2"><font face=3D"verdana, sans-serif"><font color=3D"#000000">=C2=
=A0|</font><span style=3D"background-color:rgb(255,255,255)"><font color=3D=
"#0c343d"> </font></span></font><a href=3D"https://www.enterprisedb.com/" t=
arget=3D"_blank"><font face=3D"arial, sans-serif" color=3D"#0c343d"><b styl=
e=3D"background-color:rgb(255,255,255)">enterprisedb.com</b></font></a></fo=
nt></div><div><font color=3D"#38761d" size=3D"1"><font face=3D"arial, sans-=
serif">&quot;Don&#39;t Complain about Heat, Plant a TREE&quot;</font></font=
></div></div></div></div></div></div></div></div>

--00000000000055871406313bfc21--