How to use encrypted password with Postgres and psycopg2 - postgresql

I have a Docker container which used for a Flask application and I have defined the password in the environment variable like the following
ENV DATABASE_PASSWORD=mypassword
Now in this scenario, I need to put the password in the file and this file is part of the version control. I need to hide the password in such a way that the other people including the DevOps will not be able to get the password. I can do encryption and decryption, but then also, the code is visible and other developers can print the password. I am using psycopg2 to connect to the database and has the following code:
conn = psycopg2.connect(
host=os.environ['DATABASE_HOST'],
database=os.environ['DATABASE_NAME'],
user=os.environ['DATABASE_USER'],
password=os.environ['DATABASE_PASSWORD']
)
I am looking for a way that I can hide the password from the outside. I am not sure this is even possible. Or is there any other way that I can store the passwords and use them in the code? Any service I can use for this purpose? Please suggest.

Related

How do I store a SQL connection password in Airflow cfg?

In the .cfg file, I connected sql alchemy to Postgres with user: airflow_admin and password: pass:
sql_alchemy_conn = postgresql+psycopg2://airflow_admin:pass#localhost:5432/airflow_backend
How do I anonymize this so that the password doesn't show? Do I create a .env file and store the password as a variable and then reference that variable in .cfg conn string?
I read the following but an example would be helpful: https://airflow.readthedocs.io/en/stable/howto/set-config.html
There are several way to do it:
1. change the configuration file permision to read only by airflow account
2. used airflow by docker mode, and encrpyt the configurationfile by docker secret create and map it.
THe mode 1 is easy and convinent. The mode 2 is flexible and can be used in production environment.
Good luck.
If you think the answer is good, pls up vote

PostgreSQL security local (pg_hba.conf )

In PostgreSQL we can just change local md5 to trust in pg_hba.conf. then we can access all data in database using psql without need of password.So anyone can change this line who can access local machine.
So, Is there way to password protect our database even someone change pg_hba.conf to trust
( I want to create offline app and need to protect client database,I need something like ms access, once we set the password it always ask for password )
As long as client has root/administrator acces on the computer you can't do much about pg_hba. You could make it read only but root can overyde anything. You could mount config file on read only file system but this is too complicated.
Solution can be only at database level(not OS or application): crypted data and triggers where you implement supplimentary security.
I don't think postresql is the answer for your requirement, maybe SQLite is the right one.

Force postgres_fdw to use password?

I have two databases set up as part of the same Postgresql 9.4 database cluster, and I'm trying to access a table in one of them from the other using a postgres_fdw. I have it all set up and working as a superuser, however when I try to access the foreign table as a normal user, I get the following error:
ERROR: password is required
DETAIL: Non-superuser cannot connect if the server does not request a password.
HINT: Target server's authentication method must be changed.
Now I understand that this is because I have the server set up with trust authentication for certain subnets, including Its own. However, in the 1 USER MAPPING I created, I did specify a password, with the hope that doing so would force it to use password authentication. No such luck apparently.
As such, my question is if there is any way around this somewhat onerous requirement? Is there a way to force this connection, or a specific user, or the like to use password authentication? Or some way to disable the requirement? Or is my only option to change the configuration to require passwords, and deal with whatever that breaks?
As Nick Barnes pointed out in a comment, pg_hba allows different authentication rules for specific users. As such, the solution to this issue was to simply create a user specifically for these FDW connections, and set that user in the pg_hba.conf to require a password. That way my trusted web apps on the trusted network can continue connecting as usual, but the FDW can get the password request it requires.
You can't force FDW to use a password: the server on the other end must request the password. the usual default for local socket connections is no password.
Try connecting via TCP instead of using local sockets: add host=localhost to the connection parameters, that will usually fix it.

How to connect to postgresql, without specifying plain-text password, with libpq's pgpass?

Postgres' C library libpq documentation talks about a more secure way to connect to a DB without specifying password in source code.
I was not able to find any examples of how to do it. How to make my Postgre Server use this file? Please help.
You don't import it into your Python program. The point of .pgpass is that it is a regular file subject to the system's file permissions, and the libpq driver which libraries such as psycopg2 use to connect to Postgres will look to this file for the password instead of requiring the password to be in the source code or prompting for it.
Also, this is not a server-side file, but a client-side one. So, on a *nix box, you would have a ~/.pgpass file containing the credentials for the various connections you want to be able to make.
Edit in response to comment from OP:
Two main things need to happen in order for psycopg2 to correctly authenticate via .pgpass:
Do not specify a password in the string passed to psycopg2.connect
Make sure the correct entry is added to the .pgpass file for the user who will be connecting via psycopg2.
For example, to make this work for all databases for a particular user on localhost port 5432, you would add the following line to that user's .pgpass file:
localhost:5432:*:<username>:<password>
And then the connect call would be of this form:
conn = psycopg2.connect("host=localhost dbname=<dbname> user=<username>")
The underlying libpq driver that psycopg2 uses will then utilize the .pgpass file to get the password.
just adding to #khampson's answer, I could only get this to work (in windows) if I added the PGPASSFILE environment variable (and subsequently restart pycharm) even though my pgpass file is in the default location (%APPDATA%\postgresql\pgpass.conf).
Well. You asked for .pgpass but...
There is also "The Connection Service File"
By default, the per-user service file is named ~/.pg_service.conf.
A different file name can be specified by setting the environment variable PGSERVICEFILE
Look at
https://www.postgresql.org/docs/15/libpq-pgservice.html
Format is ".INI". Parameters are connection parameters.
Example:
# this is a comment in my service file
[a_service]
host=dbserver.loc
port=5432
dbname=thedbname
user=thebest
password=bho
application_name=ifyoulike
# Here is another service
[another_service]
host=etc
port=etc
Access via psql:
psql service=a_service
Access via psycopg2:
db = psycopg2.connect('service=a_service')
Access via sqlalchemy:
eng = sqlalchemy.create_engine('postgresql:///?service=another_service')
#!/usr/bin/python
import psycopg2
import sys
import pprint
def main():
conn_string = "host='127.0.0.1' dbname='yourdatabsename' user='yourusername' password='yourpassword'"
print "Connecting to database\n ->%s" % (conn_string)
conn = psycopg2.connect(conn_string)
cursor = conn.cursor()
cursor.execute("SELECT * FROM tablename")
records = cursor.fetchall()
pprint.pprint(records)
if __name__ == "__main__":
main()

What is the default username and password for PostgreSQL?

I am working on an open source application that has PostgreSQL as its default DBMS. Now when I install it on my system, its configuration is so that PostgreSQL also gets installed with it.
My problem is with getting access to the installed PostgreSQL database. The database that gets created during installation is named iviewdb.
I read at many forums that the default superuser is postgres, but when I try to get access to the database using this username through a command prompt, it prompts me for password that I don't have.
I wanted to know from where in the PostgreSQL installation directory
the default username and password with the port number to access the database is stored. I have even tried changing the pg_hba.conf file, but that creates a problem with the application and it won't start then.
How can I find the password for this database? I am working in a Windows environment.
The password isn't stored in an easily recoverable manner, and if you change the password, the application may not be able to access the database properly. You may find the password in the application settings or documentation, though.
If you decide to risk changing the postgres user's password, stop the application and PostgreSQL service, and then edit pg_hba.conf. Add (or change if it already exists) a line (if it doesn't exist, add it before any other "host...." lines):
host all all 127.0.0.1/32 trust
And restart the PostgreSQL service. That should give you access from localhost, where you could change the postgres user's password, or add yourself another user with the permissions you want. Then set the pg_hba.conf file back the way it was and restart.
I've encountered this similar problem, and I noticed that the default being set for PostgreSQL upon installation in my case is as follows:
username = postgres
password = ' '