Re: How do I remove this stupid "master password"?

[Cherio]

On the one hand angry emails like the one that started this thread reveal
how many of users don't realize they should be thankful and appreciative
they are given a free product to use. I personally was repelled by the
tone, but that's beyond the point.

On the other hand this specific question was raised  several times here
before.

In my mind it may not be a big lift to create a small [re]configuration
shell/python script that would take care of the most common settings like
this one. A simple command line "wizard" that simply asks to [re]define the
initial or existing configuration. This way the developers don't need to
worry about compromised security. I foresee variables like those below
(just a suggestion) to be a subject of such configuration script.

DATA_DIR
LOG_FILE
SQLITE_PATH
SESSION_DB_PATH
STORAGE_DIR
PGADMIN_INT_PORT
DEFAULT_SERVER_PORT
SERVER_MODE
MASTER_PASSWORD_REQUIRED


On Sun, Feb 28, 2021 at 6:08 PM richard coleman 
wrote:

> [ HOW TO DISABLE MASTER PASSWORD feature in pgAdmin4 ]
>
> Vladimir,
>
> I sympathize with you.  I have had some extensive discussions with the
> head developer, unfortunately it doesn't seem to be something that he is
> willing to address.  It's built to address a *remote* threat vector, one
> that the vast majority of users would not be susceptible to, nor would they
> agree that the minimal additional security provided warrants the lost time
> and inconvenience that having it entails.  Since he believes so strongly in
> this, it is set to a default of being on and not only is the setting *not*
> exposed in the configuration UI, but it makes use of a non-existent file in
> a location that typically only administrators have access to.  Since many
> (most) users who will be using this in desktop mode already have these
> permissions, all it does is force them to either; use a stupidly simple
> master password (a single space is sufficient), or research the
> byzantine instructions to create a config_local.py file with the magic
> line; "MASTER_PASSWORD_REQUIRED=False" .  It doesn't help that the official
> documentation located here
> https://www.pgadmin.org/docs/pgadmin4/5.0/config_py.html, gives a
> location for config_system.py.  It usually doesn't exist and more
> importantly is **not** the location where the config.py, config_distro.py,
> or the all important config_local.py (that you need to create to disable
> the MASTER PASSWORD feature) resides.  Of course, upgrading from pgAdmin4
> 4.x to pgAdmin4 5.0 re-enables the MASTER PASSWORD feature (⋋▂⋌).
>
> So, until the devs either; add the option to control the MASTER PASSWORD
> feature into the config UI where it belongs, or change things, here are the
> steps to disable it.
>
>1. Make sure pgAdmin4 is not running (if you are using pre-version 5,
>make sure it isn't running in the tray)
>2. Locate the pgadmin4 *config.py* file (it will be in a *web*
>sub-directory parallel to the directory containing the executable)
>3. Create a file named *config_local.py* in the same directory as the
>config.py file (you will probably need admin or equivalent permissions)
>4. Enter the line: MASTER_PASSWORD_REQUIRED=False into that file and
>save
>5. Start pgAdmin4 and enjoy your MASTER PASSWORD free life
>
> I hope that helps anyone else still struggling with this.
>
> rik.
>
> On Sun, Feb 28, 2021 at 5:47 AM Vladimir Nicolici 
> wrote:
>
>> Apparently, some parts of the message were lost when posting it through
>> postgresql-archive.org, so I attached a PDF version of my previous
>> message which includes the missing sections. Sorry about that.
>>
>>
>>
>> Sent from Mail  for
>> Windows 10
>>
>

Re: How do I remove this stupid "master password"?

[richard coleman]

[ HOW TO DISABLE MASTER PASSWORD feature in pgAdmin4 ]

Vladimir,

I sympathize with you.  I have had some extensive discussions with the head
developer, unfortunately it doesn't seem to be something that he is willing
to address.  It's built to address a *remote* threat vector, one that the
vast majority of users would not be susceptible to, nor would they agree
that the minimal additional security provided warrants the lost time and
inconvenience that having it entails.  Since he believes so strongly in
this, it is set to a default of being on and not only is the setting *not*
exposed in the configuration UI, but it makes use of a non-existent file in
a location that typically only administrators have access to.  Since many
(most) users who will be using this in desktop mode already have these
permissions, all it does is force them to either; use a stupidly simple
master password (a single space is sufficient), or research the
byzantine instructions to create a config_local.py file with the magic
line; "MASTER_PASSWORD_REQUIRED=False" .  It doesn't help that the official
documentation located here
https://www.pgadmin.org/docs/pgadmin4/5.0/config_py.html, gives a location
for config_system.py.  It usually doesn't exist and more importantly is
**not** the location where the config.py, config_distro.py, or the all
important config_local.py (that you need to create to disable the MASTER
PASSWORD feature) resides.  Of course, upgrading from pgAdmin4 4.x to
pgAdmin4 5.0 re-enables the MASTER PASSWORD feature (⋋▂⋌).

So, until the devs either; add the option to control the MASTER PASSWORD
feature into the config UI where it belongs, or change things, here are the
steps to disable it.

   1. Make sure pgAdmin4 is not running (if you are using pre-version 5,
   make sure it isn't running in the tray)
   2. Locate the pgadmin4 *config.py* file (it will be in a *web*
   sub-directory parallel to the directory containing the executable)
   3. Create a file named *config_local.py* in the same directory as the
   config.py file (you will probably need admin or equivalent permissions)
   4. Enter the line: MASTER_PASSWORD_REQUIRED=False into that file and save
   5. Start pgAdmin4 and enjoy your MASTER PASSWORD free life

I hope that helps anyone else still struggling with this.

rik.

On Sun, Feb 28, 2021 at 5:47 AM Vladimir Nicolici  wrote:

> Apparently, some parts of the message were lost when posting it through
> postgresql-archive.org, so I attached a PDF version of my previous
> message which includes the missing sections. Sorry about that.
>
>
>
> Sent from Mail  for
> Windows 10
>

Re: How do I remove this stupid "master password"?

[Darren Duncan]

I haven't checked if this feature already exists but if it doesn't then a useful 
thing can be integration between PgAdmin and password managers, for example the 
MacOS Keychain, so that a master password can still be employed for security but 
you don't actually have to enter it.  Now that you have a dedicated desktop app 
not relying on third party web browsers, such dedicated integrations should be 
possible. -- Darren Duncan

Re: How do I remove this stupid "master password"?

[vnicolici]

I've been using, reluctantly, pgAdmin4 for the last couple of years or so.
And only because pgAdmin 3 became almost unusable with the recent PosgreSQL
versions. But at times, like when needing to view the list of active
sessions, pgAdmin 3 still is a better tool, even after all these years (I
mean, the new tool doesn't even show you the SQL of each session in the
session table, so you can't see at a glance what the DB is doing; You have
to manually inspect each session individually. Even using a SQL query on the
sessions table is better than using the pgAdmin 4 UI for this purpose).

Anyway, with the release of pgAdmin4 v5 it seems some steps in the right
direction, towards making it more like pgAdmin 3, have been made. Fore
example the desktop version finally doesn't need a web browser anymore (btw,
how can I change the font size in the v5 desktop version?).

However, going back to the topic, this extremely annoying "master password"
feature is still included in v5. And, when I say it's annoying, I'm not
talking about the use of the word "master", which some people may find
offensive. I'm talking about wasting hours of our lives by having to do
useless stuff repeatedly. This feature annoyed me so much, that part of my
master password is the F word, obviously referring to the feature.

So, today, after upgrading to v5, I tried to find a way to disable this time
waster, which should be opt-in anyway and configurable from the UI. But, for
some unfathomable reason, the PGAdmin devs decided to make us jump though
hoops again, and not allow us to easily disable the "feature". And the
documentation is extremely confusing regarding how to disable it.

To begin, there is a question mark on the master password password dialog,
which brings you to the documentation about the feature which says:

"You can disable the master password by setting the configuration parameter
MASTER_PASSWORD_REQUIRED=False. See Desktop Deployment for more
information."

OK, fine, obviously the option to change the configuration parameter should
be in the UI, shouldn't it? So I go to File -> Runtime -> Configure.
Surprise. It's not there. It's not in the preferences section either. OK,
time to read the Desktop Deployment help section.  First of all, the Desktop
Deployment help section immediatly tries to send me somewhere else with:

"See The config.py File for more information on configuration settings."

But I'll ignore that for the time being, and read the rest. Finally, at the
bottom of the Desktop Deployment help page, there is this:

"The configuration settings are stored in runtime_config.json file, which
will be available on Unix systems (~/.local/share/pgadmin/), on Mac OS X
(~/Library/Preferences/pgadmin), and on Windows (%APPDATA%/pgadmin)."

OK, so I open a command prompt and do a "cd %APPDATA%/pgadmin" since I'm on
Windows. This is what I find there:


Since runtime_config.json was mentioned, I list the file in the console:



Hmm. These parameters don't look at all like the one described in the
previous documentation page, about the master password. They are camelCase,
unlike the MASTER_PASSWORD_REQUIRED=False the master password documentation
page suggested I add. They are also in JSON format, so probably adding
"MASTER_PASSWORD_REQUIRED": false, or "MASTER_PASSWORD_REQUIRED": "False" to
that JSON is a bad idea, most likely the parameter must be set somewhere
else.

After a bit of Googling and Binging it seems the file I need to modify is a
.py file, not a .json file. However, there are no python files in that
directory. So I finally heed the advice on the documentation to "See The
config.py File for more information on configuration settings."

Since the documentation page for config.py is very long, I try do to a
Control+F on it to find the word "master". Unfortunately, this doesn't work
anymore in PgAdmin v5 since it's not a regular browser window. So I need to
look online for the same documentation, to be able to search it.

After a bit of Googling/Binging, I find this:

https://www.enterprisedb.com/edb-docs/d/pgadmin-4/reference/online-documentation/5.0/config_py.html

>From it:



So, indeed, that file seems to be related to this feature. Also, the
documentation page describes additional related files:

"There are multiple configuration files that are read at startup by pgAdmin.
These are as follows:

config.py: This is the main configuration file, and should not be modified.
It can be used as a reference for configuration settings, that may be
overridden in one of the following files.

config_distro.py: This file is read after config.py and is intended for
packagers to change any settings that are required for their pgAdmin
distribution. This may typically include certain paths and file locations.
This file is optional, and may be created by packagers in the same directory
as config.py if needed.

config_local.py: This file is read after config_distro.py and is intended
for end users to change any default or