On Tue, Mar 28, 2023 at 6:21 PM Rettstadt, Tobias <
ext.tobias.rettst...@nordlb.de> wrote:
> Hi,
>
>
>
> we are using pgadmin 6.20 with a PostgreSQL database for the user settings
> and Azure AD login via OIDC. We are running pgadmin in Kubernetes using the
> official docker image with the following environment variables:
>
>
>
> - env:
>
> - name: PGADMIN_DEFAULT_EMAIL
>
> value: pgadm...@pgadmin.org
>
> - name: PGADMIN_DEFAULT_PASSWORD
>
> valueFrom:
>
> secretKeyRef:
>
> key: adminPassword
>
> name: pgadmin
>
> - name: PGADMIN_LISTEN_PORT
>
> value: "8080"
>
> - name: OAUTH2_CLIENT_SECRET
>
> valueFrom:
>
> secretKeyRef:
>
> key: clientSecret
>
> name: pgadmin
>
> - name: PGADMIN_CONFIG_OAUTH2_CONFIG
>
> value: '[ { ''OAUTH2_NAME'': ''azure'', ''OAUTH2_DISPLAY_NAME'':
> ''Azure-AD'',
>
> ''OAUTH2_CLIENT_ID'': 'clientid'', ''OAUTH2_CLIENT_SECRET'':
>
> ''$(OAUTH2_CLIENT_SECRET)'', ''OAUTH2_TOKEN_URL'': ''
> https://login.microsoftonline.com/tenant/oauth2/v2.0/token'',
>
> ''OAUTH2_AUTHORIZATION_URL'': ''
> https://login.microsoftonline.com/tenant/oauth2/v2.0/authorize'',
>
> ''OAUTH2_SERVER_METADATA_URL'': ''
> https://login.microsoftonline.com/tenant/v2.0/.well-known/openid-configuration'
> ',
>
> ''OAUTH2_API_BASE_URL'': ''https://graph.microsoft.com/v1.0/'',
> ''OAUTH2_USERINFO_ENDPOINT'':
>
> ''me'', ''OAUTH2_SCOPE'': ''User.Read openid email profile'',
> ''OAUTH2_USERNAME_CLAIM'':
>
> None, ''OAUTH2_ICON'': None, ''OAUTH2_BUTTON_COLOR'': None } ]'
>
> - name: DB_USER
>
> value: pgadmin
>
> - name: DB_PASSWORD
>
> valueFrom:
>
> secretKeyRef:
>
> key: databasePassword
>
> name: pgadmin
>
> - name: DB_HOST
>
> value: “1.2.3.4”
>
> - name: DB_PORT
>
> value: "5432"
>
> - name: DB_NAME
>
> value: pgadmin
>
> - name: PGADMIN_CONFIG_CONFIG_DATABASE_URI
>
> value:
> '''postgresql://$(DB_USER):$(DB_PASSWORD)@$(DB_HOST):$(DB_PORT)/$(DB_NAME)'''
>
> - name: PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION
>
> value: "False"
>
> - name: PGADMIN_CONFIG_AUTHENTICATION_SOURCES
>
> value: '[''oauth2'', ''internal'']'
>
> - name: PGADMIN_CONFIG_MASTER_PASSWORD
>
> value: "True"
>
> - name: PGADMIN_CONFIG_LOG_FILE
>
> value: '''/var/lib/pgadmin/logs/pgadmin.log'''
>
> - name: PGADMIN_CONFIG_FILE_LOG_LEVEL
>
> value: "20"
>
> - name: PGADMIN_CONFIG_UPGRADE_CHECK_ENABLED
>
> value: "False"
>
>
>
> Approximately once a week pgadmin hangs when a user is trying to connect
> the database. Here is the relevant excerpt from pgadmin.log:
>
>
>
> 2023-03-27 16:35:59,619: INFO pgadmin: Waiting for a lock.
>
> 2023-03-27 16:35:59,619: INFO pgadmin: Acquired a lock.
>
> 2023-03-27 16:35:59,619: ERROR pgadmin:
> 'auth_source_manager'
>
> Traceback (most recent call last):
>
> File "/venv/lib/python3.10/site-packages/flask/app.py", line 1517, in
> full_dispatch_request
>
> rv = self.dispatch_request()
>
> File "/venv/lib/python3.10/site-packages/flask/app.py", line 1503, in
> dispatch_request
>
> return
> self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
>
> File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 75, in oauth_logout
>
> logout_user()
>
> File "/venv/lib/python3.10/site-packages/flask_security/utils.py", line
> 206, in logout_user
>
> _logout_user()
>
> File "/venv/lib/python3.10/site-packages/flask_login/utils.py", line
> 230, in logout_user
>
> user_logged_out.send(current_app._get_current_object(), user=user)
>
> File "/venv/lib/python3.10/site-packages/blinker/base.py", line 263, in
> send
>
> return [(receiver, receiver(sender, **kwargs))
>
> File "/venv/lib/python3.10/site-packages/blinker/base.py", line 263, in
> <listcomp>
>
> return [(receiver, receiver(sender, **kwargs))
>
> File "/pgadmin4/pgadmin/__init__.py", line 750, in current_user_cleanup
>
> _driver.gc_own()
>
> File "/pgadmin4/pgadmin/utils/driver/psycopg2/__init__.py", line 251, in
> gc_own
>
> mgr.release()
>
> File "/pgadmin4/pgadmin/utils/driver/psycopg2/server_manager.py", line
> 483, in release
>
> conn.cancel_transaction(conn.conn_id[5:])
>
> File "/pgadmin4/pgadmin/utils/driver/psycopg2/connection.py", line 1696,
> in cancel_transaction
>
> with ConnectionLocker(self.manager.kerberos_conn):
>
> File "/pgadmin4/pgadmin/utils/locker.py", line 36, in __enter__
>
> if session['auth_source_manager']['current_source'] == \
>
> KeyError: 'auth_source_manager'
>
> 2023-03-28 07:25:33,796: INFO pgadmin: Connection Request for
> server#2
>
> 2023-03-28 07:25:33,815: INFO pgadmin: Waiting for a lock.
>
>
>
> It looks like the lock that was acquired on 2023-03-27 at 16:35 is not
> released because of the error. Then when a user tries to connect to a
> database the next day, pgadmin waits for the lock forever. In this case
> only a restart helps.
>
> Any ideas what could cause this behaviour?
>
This happens only if the user session expired and, without refreshing the
pgAdmin browser window, the user tries to connect to the database.
In this case, a browser window refresh would be good enough not to restart
the pgAdmin server.
However, pgAdmin should handle this scenario as well. Please log this
issue @ https://github.com/pgadmin-org/pgadmin4/issues.
Thanks,
Khushboo
>
> Thanks and best regards,
>
> Tobias
> **************************************************************** Die in
> dieser E-Mail enthaltenen Informationen sind vertraulich. Diese E-Mail ist
> ausschliesslich fuer den Adressaten bestimmt und jeglicher Zugriff durch
> andere Personen ist nicht zulaessig. Falls Sie nicht einer der genannten
> Empfaenger sind, ist jede Veroeffentlichung, Vervielfaeltigung, Verteilung
> oder sonstige in diesem Zusammenhang stehende Handlung untersagt und unter
> Umstaenden ungesetzlich. Sollte diese Nachricht nicht fuer Sie bestimmt
> sein, so bitten wir Sie, den Absender unverzueglich zu informieren und die
> E-Mail zu loeschen.
> **************************************************************** The
> information contained in this e-mail is confidential. This e-mail is
> intended solely for the addressee(s) and may not be accessed by anyone
> else. If you are not a named recipient, any disclosure, copying,
> distribution or related action is prohibited and might be unlawful. If the
> e-mail is not intended for you, please notify the sender immediately and
> delete it. ****************************************************************
>
