Hello everybody, I'd like to deploy PgAdmin4 with Ansible to a Docker Swarm cluster without any authentication and authorization, as it will not be exposed to the public.
Only internal SSH users will be able to access the SSH tunnel endpoint, a unix
domain socket. These users are already authenticated with their SSH public key
and a second factor, and each of them is an experienced, trusted user.
Unfortunately, PgAdmin4 makes it very hard for me to accomplish this, or maybe
I didn't find or understand the relevant documentation. I have already managed
to automatically login into PgAdmin4 by forcing it into desktop mode, but when
I try to open a database in the menu on the left side, PgAdmin4 keeps asking
for a password -- which has already been supplied with a PGPASS_FILE.
Please, don't get me wrong: I highly appreciate when developers try to develop
their software as secure as possible, thus protecting unexperienced users from
insecure setups. And to be honest, I'm also not happy with having to force the
software into desktop mode just to circumvent having to log into PgAdmin4. But
then, having to spread passwords and add documentation to our projects just so
my users can access that database doesn't make me happy either.
What I have already accomplished and tried so far:
- force PgAdmin4 into desktop mode (PGADMIN_CONFIG_SERVER_MODE: "False"), thus
omitting the need to login into PgAdmin4
- adding a PGPASS_FILE (with and without leading dots) with Docker configs to
- /var/lib/pgadmin/pgpass
- /var/lib/pgadmin/pgpass/storage/sw_lukenukem.de/pgpass
- setting the correct password in servers.json with the settings
- Password
- PassFile
At the moment, the service configuration in my docker-compose.yml looks like
so (and no, please rest assured that s3cR3t is not the real password ;-):
--snip-----
pgadmin:
image: dpage/pgadmin4:latest
environment:
PGADMIN_DEFAULT_EMAIL: "s...@lukenukem.de"
PGADMIN_DEFAULT_PASSWORD: "s3cR3t"
PGADMIN_LISTEN_ADDRESS: "0.0.0.0"
PGADMIN_DISABLE_POSTFIX: "True"
PGADMIN_CONFIG_SERVER_MODE: "False"
PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED: "False"
PGPASS_FILE: "/var/lib/pgadmin/pgpass"
configs:
- source: servers_json
target: /pgadmin4/servers.json
- source: pgpass
target: /var/lib/pgadmin/pgpass
uid: "5050"
gid: "0"
mode: 0600
- source: pgpass
target: /var/lib/pgadmin/storage/sw_lukenukem.de/pgpass
uid: "5050"
gid: "0"
mode: 0600
--snip-----
However, after reading the documentation over and over and playing around with
several configuration options, I'm at the end of my ideas. Any suggestions and
hints are very welcome. If you need more information, please let me know.
Thank you in advance and please excuse my bad english, I know I lack training.
Best wishes,
Lutz
signature.asc
Description: This is a digitally signed message part.
