Re: pgAdmin4 v7.1 candidate builds
Hi All We have fixed some issues found during testing, the latest candidate builds and source code is available at https://developer.pgadmin.org/builds/2023-05-03-1/ On Tue, May 2, 2023 at 1:33 PM Akshay Joshi wrote: > Hi All > > The latest v7.1 candidate builds and source code is available at > https://developer.pgadmin.org/builds/2023-05-02-1/ > > On Mon, May 1, 2023 at 6:11 PM Akshay Joshi > wrote: > >> Hi All, >> >> pgAdmin4 v7.0 candidate builds and source code is available at >> https://developer.pgadmin.org/builds/2023-05-01-1/ >> >> Fahar, could you please verify this for Thursday's release? >> >> *Note*: Debian Builds are failing I'll check tomorrow and regenerate the >> candidate build. >> >> -- >> Akshay Joshi >> Principal Software Architect >> www.enterprisedb.com >> >> *Blog*: https://www.enterprisedb.com/akshay-joshi >> *GitHub*: https://github.com/akshay-joshi >> *LinkedIn*: https://www.linkedin.com/in/akshay-joshi-086497216 >> >
Re: [pgAdmin4][Patch]- Feature #7012 - disable master password requirement when using alternative auth source
On Wed, 3 May 2023 at 10:45, Yogesh Mahajan wrote: > Hi Dave/Team, > > As per the new design, pgAdmin should add a config to specify a path for > script/program to retrieve an encryption key & use it to encrypt the > passwords. > Right. > The script/program will be at an application level and not a user level. > This feature will be applicable only in case of server mode as we are going > to use OS level secret storage for the same in Desktop mode. > Yes. However, we can pass parameters to the hook. For example, we might do something like: MASTER_PASSWORD_HOOK = '/path/to/key_client.sh %U %E' Where at runtime %U is replaced with the username and %E is replaced with the user's email address. Those are just examples of course - there may be other parameters that make sense to make available. > > Thanks, > Yogesh Mahajan > EnterpriseDB > > > On Fri, Apr 22, 2022 at 4:01 PM Aditya Toshniwal < > aditya.toshni...@enterprisedb.com> wrote: > >> >> On Fri, Apr 22, 2022 at 3:57 PM Dave Page wrote: >> >>> >>> >>> On Fri, 22 Apr 2022 at 11:16, Aditya Toshniwal < >>> aditya.toshni...@enterprisedb.com> wrote: >>> On Fri, Apr 22, 2022 at 3:28 PM Dave Page wrote: > > > On Fri, 22 Apr 2022 at 10:49, Aditya Toshniwal < > aditya.toshni...@enterprisedb.com> wrote: > >> Hi Dave, >> >> Generally, secure keys like API_KEYS and all are supposed to be set >> in env and are read by the app. Similar is the alternative encryption >> key. >> People can run their scripts to export those config vars. >> > > On the client side, yes. This is server side though. It's not uncommon > on the server side to include hooks to allow key retrieval from external > key management systems. > Even on the server side. Like the AWS auth keys, or DB passwords. We can include hooks, not against it. Just discussing. >>> >>> If you're using an AWS auth key on a server, then you're acting as a >>> client for AWS - and DB passwords are a great example of why using a hook >>> is a good thing; it's a very common request from users to have a secure way >>> to retrieve credentials from an external service. Not to mention that a DB >>> password is needed on the client side of a connection, not on the server >>> side. On the server side, the database would query LDAP/Kerberos/whatever. >>> >>> A better example would be querying a key management service to unlock an >>> encrypted disk or something like the service Bruce wrote for managing >>> pgcrypto keys. >>> >> >> Got it. Thanks. >> >>> >>> >>> > > >> >> On Fri, Apr 22, 2022 at 2:38 PM Khushboo Vashi < >> khushboo.va...@enterprisedb.com> wrote: >> >>> >>> >>> On Fri, Apr 22, 2022 at 2:34 PM Dave Page wrote: >>> On Fri, 22 Apr 2022 at 09:57, Khushboo Vashi < khushboo.va...@enterprisedb.com> wrote: > > > On Fri, Apr 22, 2022 at 2:01 PM Dave Page > wrote: > >> Hi >> >> On Mon, 11 Apr 2022 at 09:20, Akshay Joshi < >> akshay.jo...@enterprisedb.com> wrote: >> >>> Thanks, the patch applied. >>> >>> On Mon, Apr 11, 2022 at 12:00 PM Khushboo Vashi < >>> khushboo.va...@enterprisedb.com> wrote: >>> Hi, Please find the attached patch to implement the feature #7012 - Disable master password requirement when using alternative auth source When pgAdmin stores a connection password, it encrypts it using a key that is formed either from the master password, or from the pgAdmin login password for the user. In the case of auth methods such as OAuth, Kerberos or Webserver, pgAdmin doesn't have access to anything long-lived to form the encryption key from, hence it uses the master password. And if the master is disabled, there is no way to store the connection password. To resolve this, we have added an option to config.py (which defaults to None) for an alternate encryption key. pgAdmin would use this if a) the master password is disabled AND b) there is no suitable key/password available from the auth module for the user. If the option is set to None, pgAdmin works as it does now. >>> >> This change has just been brought to my attention through other >> work. I think this is poorly thought out, and could easily be made >> much >> more secure and flexible than the current design. >> >> Instead of effectively hard-coding a master password, which is >> only slightly more secure than not having one in the first place, we
[pgadmin-org/pgadmin4] d1e71e: Python dependency: Bump psycopg[c] from 3.1.8 to 3...
Branch: refs/heads/dependabot/pip/psycopg-c--3.1.9 Home: https://github.com/pgadmin-org/pgadmin4 Commit: d1e71eb62b3593740ddbea84f8b1f5e0bd1b8760 https://github.com/pgadmin-org/pgadmin4/commit/d1e71eb62b3593740ddbea84f8b1f5e0bd1b8760 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: 2023-05-03 (Wed, 03 May 2023) Changed paths: M requirements.txt Log Message: --- Python dependency: Bump psycopg[c] from 3.1.8 to 3.1.9 Bumps [psycopg[c]](https://github.com/psycopg/psycopg) from 3.1.8 to 3.1.9. - [Release notes](https://github.com/psycopg/psycopg/releases) - [Changelog](https://github.com/psycopg/psycopg/blob/master/docs/news.rst) - [Commits](https://github.com/psycopg/psycopg/compare/3.1.8...3.1.9) --- updated-dependencies: - dependency-name: psycopg[c] dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot]
[pgadmin-org/pgadmin4] 5c57fd: Update release notes
Branch: refs/heads/master Home: https://github.com/pgadmin-org/pgadmin4 Commit: 5c57fd0170da557703ec19620ef7c2c8241522c1 https://github.com/pgadmin-org/pgadmin4/commit/5c57fd0170da557703ec19620ef7c2c8241522c1 Author: Aditya Toshniwal Date: 2023-05-03 (Wed, 03 May 2023) Changed paths: M docs/en_US/release_notes_7_1.rst Log Message: --- Update release notes
[pgadmin-org/pgadmin4] d6f01b: Ensure user/roles with special characters are quot...
Branch: refs/heads/master Home: https://github.com/pgadmin-org/pgadmin4 Commit: d6f01b552a081b90ba7b218f8136bc124b3730a3 https://github.com/pgadmin-org/pgadmin4/commit/d6f01b552a081b90ba7b218f8136bc124b3730a3 Author: Yogesh Mahajan Date: 2023-05-03 (Wed, 03 May 2023) Changed paths: M web/pgadmin/browser/server_groups/servers/utils.py Log Message: --- Ensure user/roles with special characters are quoted to avoid syntax error.#6234
[pgadmin-org/pgadmin4] 4fbfcd: Fix multiple object breadcrumbs bugs. #2078
Branch: refs/heads/master Home: https://github.com/pgadmin-org/pgadmin4 Commit: 4fbfcdfee9a250e479687135159ba55b9f043f81 https://github.com/pgadmin-org/pgadmin4/commit/4fbfcdfee9a250e479687135159ba55b9f043f81 Author: Aditya Toshniwal Date: 2023-05-03 (Wed, 03 May 2023) Changed paths: M web/pgadmin/browser/server_groups/servers/databases/schemas/catalog_objects/templates/catalog_object/sql/ppas/default/nodes.sql M web/pgadmin/browser/server_groups/servers/databases/schemas/packages/templates/packages/ppas/12_plus/nodes.sql M web/pgadmin/browser/server_groups/servers/databases/schemas/sequences/__init__.py M web/pgadmin/browser/server_groups/servers/databases/schemas/tables/constraints/foreign_key/__init__.py M web/pgadmin/browser/server_groups/servers/databases/schemas/tables/constraints/index_constraint/__init__.py M web/pgadmin/browser/server_groups/servers/databases/schemas/views/__init__.py M web/pgadmin/browser/server_groups/servers/databases/schemas/views/templates/mviews/pg/default/sql/nodes.sql M web/pgadmin/browser/server_groups/servers/databases/schemas/views/templates/mviews/ppas/default/sql/nodes.sql M web/pgadmin/browser/server_groups/servers/databases/schemas/views/templates/views/pg/default/sql/nodes.sql M web/pgadmin/browser/server_groups/servers/databases/schemas/views/templates/views/ppas/default/sql/nodes.sql M web/pgadmin/browser/server_groups/servers/tablespaces/__init__.py M web/pgadmin/browser/server_groups/servers/tablespaces/templates/tablespaces/sql/default/nodes.sql M web/pgadmin/static/js/components/ObjectBreadcrumbs.jsx Log Message: --- Fix multiple object breadcrumbs bugs. #2078
Re: [pgAdmin4][Patch]- Feature #7012 - disable master password requirement when using alternative auth source
Hi Dave/Team, As per the new design, pgAdmin should add a config to specify a path for script/program to retrieve an encryption key & use it to encrypt the passwords. The script/program will be at an application level and not a user level. This feature will be applicable only in case of server mode as we are going to use OS level secret storage for the same in Desktop mode. Thanks, Yogesh Mahajan EnterpriseDB On Fri, Apr 22, 2022 at 4:01 PM Aditya Toshniwal < aditya.toshni...@enterprisedb.com> wrote: > > On Fri, Apr 22, 2022 at 3:57 PM Dave Page wrote: > >> >> >> On Fri, 22 Apr 2022 at 11:16, Aditya Toshniwal < >> aditya.toshni...@enterprisedb.com> wrote: >> >>> >>> >>> On Fri, Apr 22, 2022 at 3:28 PM Dave Page wrote: >>> On Fri, 22 Apr 2022 at 10:49, Aditya Toshniwal < aditya.toshni...@enterprisedb.com> wrote: > Hi Dave, > > Generally, secure keys like API_KEYS and all are supposed to be set in > env and are read by the app. Similar is the alternative encryption key. > People can run their scripts to export those config vars. > On the client side, yes. This is server side though. It's not uncommon on the server side to include hooks to allow key retrieval from external key management systems. >>> Even on the server side. Like the AWS auth keys, or DB passwords. We can >>> include hooks, not against it. Just discussing. >>> >> >> If you're using an AWS auth key on a server, then you're acting as a >> client for AWS - and DB passwords are a great example of why using a hook >> is a good thing; it's a very common request from users to have a secure way >> to retrieve credentials from an external service. Not to mention that a DB >> password is needed on the client side of a connection, not on the server >> side. On the server side, the database would query LDAP/Kerberos/whatever. >> >> A better example would be querying a key management service to unlock an >> encrypted disk or something like the service Bruce wrote for managing >> pgcrypto keys. >> > > Got it. Thanks. > >> >> >> >>> > > On Fri, Apr 22, 2022 at 2:38 PM Khushboo Vashi < > khushboo.va...@enterprisedb.com> wrote: > >> >> >> On Fri, Apr 22, 2022 at 2:34 PM Dave Page wrote: >> >>> >>> >>> On Fri, 22 Apr 2022 at 09:57, Khushboo Vashi < >>> khushboo.va...@enterprisedb.com> wrote: >>> On Fri, Apr 22, 2022 at 2:01 PM Dave Page wrote: > Hi > > On Mon, 11 Apr 2022 at 09:20, Akshay Joshi < > akshay.jo...@enterprisedb.com> wrote: > >> Thanks, the patch applied. >> >> On Mon, Apr 11, 2022 at 12:00 PM Khushboo Vashi < >> khushboo.va...@enterprisedb.com> wrote: >> >>> Hi, >>> >>> Please find the attached patch to implement the feature #7012 - >>> Disable master password requirement when using alternative auth >>> source >>> >>> When pgAdmin stores a connection password, it encrypts it using >>> a key that is formed either from the master password, or from the >>> pgAdmin >>> login password for the user. In the case of auth methods such as >>> OAuth, >>> Kerberos or Webserver, pgAdmin doesn't have access to anything >>> long-lived >>> to form the encryption key from, hence it uses the master password. >>> And if >>> the master is disabled, there is no way to store the connection >>> password. >>> >>> To resolve this, we have added an option to config.py (which >>> defaults to None) for an alternate encryption key. pgAdmin would >>> use this >>> if a) the master password is disabled AND b) there is no suitable >>> key/password available from the auth module for the user. If >>> the option is set to None, pgAdmin works as it does now. >>> >> > This change has just been brought to my attention through other > work. I think this is poorly thought out, and could easily be made > much > more secure and flexible than the current design. > > Instead of effectively hard-coding a master password, which is > only slightly more secure than not having one in the first place, we > should > allow the user to specify the path to a script or program that will > return > a key. In a security-conscious environment, the script might query a > centralised key management system to securely retrieve the key to > use. If a > user really wants the less secure implementation that this current > patch > offers, then a simple script as follows would offer that (but would > not be > recommended): > > > #!/bin/sh > >
[pgadmin-org/pgadmin4] cba42e: Allow user to set the minimum value to 1 from pref...
Branch: refs/heads/master Home: https://github.com/pgadmin-org/pgadmin4 Commit: cba42ef2777eb8e9d790578160b338396f46e755 https://github.com/pgadmin-org/pgadmin4/commit/cba42ef2777eb8e9d790578160b338396f46e755 Author: Akshay Joshi Date: 2023-05-03 (Wed, 03 May 2023) Changed paths: M web/pgadmin/tools/sqleditor/utils/query_tool_preferences.py Log Message: --- Allow user to set the minimum value to 1 from preferences for ON_DEMAND_ROW_COUNT
[pgadmin-org/pgadmin4] 4fc493: Pin psycopg3 to 3.1.8
Branch: refs/heads/master Home: https://github.com/pgadmin-org/pgadmin4 Commit: 4fc49390edf9468ffae2c47a3618486e1119a000 https://github.com/pgadmin-org/pgadmin4/commit/4fc49390edf9468ffae2c47a3618486e1119a000 Author: Khushboo Vashi Date: 2023-05-03 (Wed, 03 May 2023) Changed paths: M requirements.txt Log Message: --- Pin psycopg3 to 3.1.8