mirror of
https://github.com/pgadmin-org/pgadmin4.git
synced 2024-11-24 09:40:21 -06:00
1257ec9969
The new implementation will store the master password in the keyring instead of storing each and every server password separately. The master password will be used to encrypt/decrypt server password when storing in the pgAdmin config DB.
943 lines
36 KiB
Python
943 lines
36 KiB
Python
# -*- coding: utf-8 -*-
|
|
|
|
##########################################################################
|
|
#
|
|
# pgAdmin 4 - PostgreSQL Tools
|
|
#
|
|
# Copyright (C) 2013 - 2024, The pgAdmin Development Team
|
|
# This software is released under the PostgreSQL Licence
|
|
#
|
|
# config.py - Core application configuration settings
|
|
#
|
|
##########################################################################
|
|
|
|
import builtins
|
|
import logging
|
|
import os
|
|
import sys
|
|
from collections import OrderedDict
|
|
|
|
# We need to include the root directory in sys.path to ensure that we can
|
|
# find everything we need when running in the standalone runtime.
|
|
root = os.path.dirname(os.path.realpath(__file__))
|
|
if sys.path[0] != root:
|
|
sys.path.insert(0, root)
|
|
|
|
# The config database connection pool size.
|
|
# Setting this to 0 will remove any limit.
|
|
CONFIG_DATABASE_CONNECTION_POOL_SIZE = 5
|
|
# The number of connections allowed to overflow beyond
|
|
# the connection pool size.
|
|
CONFIG_DATABASE_CONNECTION_MAX_OVERFLOW = 100
|
|
|
|
from pgadmin.utils import env, IS_WIN, fs_short_path
|
|
from version import APP_VERSION, APP_RELEASE, APP_REVISION, APP_SUFFIX, \
|
|
APP_VERSION_INT
|
|
from branding import APP_NAME, APP_ICON, APP_COPYRIGHT, APP_PATH, \
|
|
APP_WIN_PATH, APP_SHORT_NAME, APP_DEFAULT_EMAIL
|
|
|
|
##########################################################################
|
|
# Misc stuff
|
|
##########################################################################
|
|
|
|
# Path to the online help.
|
|
HELP_PATH = '../../../docs/en_US/_build/html/'
|
|
|
|
# Languages we support in the UI
|
|
LANGUAGES = {
|
|
'en': 'English',
|
|
'zh': 'Chinese (Simplified)',
|
|
'cs': 'Czech',
|
|
'fr': 'French',
|
|
'de': 'German',
|
|
'id': 'Indonesian',
|
|
'it': 'Italian',
|
|
'ja': 'Japanese',
|
|
'ko': 'Korean',
|
|
'pl': 'Polish',
|
|
'pt_BR': 'Portuguese (Brazilian)',
|
|
'ru': 'Russian',
|
|
'es': 'Spanish',
|
|
}
|
|
|
|
# DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING!
|
|
# List of modules to skip when dynamically loading
|
|
MODULE_BLACKLIST = ['test']
|
|
|
|
# DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING!
|
|
# List of treeview browser nodes to skip when dynamically loading
|
|
NODE_BLACKLIST = []
|
|
|
|
##########################################################################
|
|
# Server settings
|
|
##########################################################################
|
|
|
|
# The server mode determines whether or not we're running on a web server
|
|
# requiring user authentication, or desktop mode which uses an automatic
|
|
# default login.
|
|
#
|
|
# DO NOT DISABLE SERVER MODE IF RUNNING ON A WEBSERVER!!
|
|
#
|
|
# We only set SERVER_MODE if it's not already set. That's to allow the
|
|
# runtime to force it to False.
|
|
#
|
|
# NOTE: If you change the value of SERVER_MODE or DATA_DIR in an included
|
|
# config file, you may also need to redefine any values below that are
|
|
# derived from it, notably various paths such as LOG_FILE, SQLITE_PATH,
|
|
# SESSION_DB_PATH, STORAGE_DIR, KERBEROS_CCACHE_DIR, and
|
|
# AZURE_CREDENTIAL_CACHE_DIR
|
|
|
|
if (not hasattr(builtins, 'SERVER_MODE')) or builtins.SERVER_MODE is None:
|
|
SERVER_MODE = True
|
|
else:
|
|
SERVER_MODE = builtins.SERVER_MODE
|
|
|
|
# HTTP headers to search for CSRF token when it is not provided in the form.
|
|
# Default is ['X-CSRFToken', 'X-CSRF-Token']
|
|
WTF_CSRF_HEADERS = ['X-pgA-CSRFToken']
|
|
|
|
# User ID (email address) to use for the default user in desktop mode.
|
|
# The default should be fine here, as it's not exposed in the app.
|
|
DESKTOP_USER = APP_DEFAULT_EMAIL
|
|
|
|
# This option allows the user to host the application on a LAN
|
|
# Default hosting is on localhost (DEFAULT_SERVER='localhost').
|
|
# To host pgAdmin4 over LAN set DEFAULT_SERVER='0.0.0.0' (or a specific
|
|
# adaptor address.
|
|
#
|
|
# NOTE: This is NOT recommended for production use, only for debugging
|
|
# or testing. Production installations should be run as a WSGI application
|
|
# behind Apache HTTPD.
|
|
DEFAULT_SERVER = '127.0.0.1'
|
|
|
|
# The default port on which the app server will listen if not set in the
|
|
# environment by the runtime
|
|
DEFAULT_SERVER_PORT = 5050
|
|
|
|
# This param is used to override the default web server information about
|
|
# the web technology and the frameworks being used in the application
|
|
# An attacker could use this information to fingerprint underlying operating
|
|
# system and research known exploits for the specific version of
|
|
# software in use
|
|
WEB_SERVER = 'Python'
|
|
|
|
# Enable X-Frame-Option protection.
|
|
# Set to one of "SAMEORIGIN", "ALLOW-FROM origin" or "" to disable.
|
|
# Note that "DENY" is NOT supported (and will be silently ignored).
|
|
# See https://tools.ietf.org/html/rfc7034 for more info.
|
|
X_FRAME_OPTIONS = "SAMEORIGIN"
|
|
|
|
# The Content-Security-Policy header allows you to restrict how resources
|
|
# such as JavaScript, CSS, or pretty much anything that the browser loads.
|
|
# see https://content-security-policy.com/#source_list for more info
|
|
# e.g. "default-src https: data: 'unsafe-inline' 'unsafe-eval';"
|
|
CONTENT_SECURITY_POLICY = "default-src ws: http: data: blob: 'unsafe-inline'" \
|
|
" 'unsafe-eval';"
|
|
|
|
# STRICT_TRANSPORT_SECURITY_ENABLED when set to True will set the
|
|
# Strict-Transport-Security header
|
|
STRICT_TRANSPORT_SECURITY_ENABLED = False
|
|
|
|
# The Strict-Transport-Security header tells the browser to convert all HTTP
|
|
# requests to HTTPS, preventing man-in-the-middle (MITM) attacks.
|
|
# e.g. 'max-age=31536000; includeSubDomains'
|
|
STRICT_TRANSPORT_SECURITY = "max-age=31536000; includeSubDomains"
|
|
|
|
# The X-Content-Type-Options header forces the browser to honor the response
|
|
# content type instead of trying to detect it, which can be abused to
|
|
# generate a cross-site scripting (XSS) attack.
|
|
# e.g. nosniff
|
|
X_CONTENT_TYPE_OPTIONS = "nosniff"
|
|
|
|
# The browser will try to prevent reflected XSS attacks by not loading the
|
|
# page if the request contains something that looks like JavaScript and the
|
|
# response contains the same data. e.g. '1; mode=block'
|
|
X_XSS_PROTECTION = "1; mode=block"
|
|
|
|
# This param is used to validate ALLOWED_HOSTS for the application
|
|
# This will be used to avoid Host Header Injection attack
|
|
# ALLOWED_HOSTS = ['225.0.0.0/8', '226.0.0.0/7', '228.0.0.0/6']
|
|
# ALLOWED_HOSTS = ['127.0.0.1', '192.168.0.1']
|
|
# if ALLOWED_HOSTS= [] then it will accept all ips (and application will be
|
|
# vulnerable to Host Header Injection attack)
|
|
ALLOWED_HOSTS = []
|
|
|
|
# Hashing algorithm used for password storage
|
|
SECURITY_PASSWORD_HASH = 'pbkdf2_sha512'
|
|
|
|
# Minimum password length
|
|
PASSWORD_LENGTH_MIN = 6
|
|
|
|
# Reverse Proxy parameters
|
|
# You must tell the middleware how many proxies set each header
|
|
# so it knows what values to trust.
|
|
# See https://tinyurl.com/yyg7r9av
|
|
# for more information.
|
|
|
|
# Number of values to trust for X-Forwarded-For
|
|
PROXY_X_FOR_COUNT = 1
|
|
|
|
# Number of values to trust for X-Forwarded-Proto.
|
|
PROXY_X_PROTO_COUNT = 1
|
|
|
|
# Number of values to trust for X-Forwarded-Host.
|
|
PROXY_X_HOST_COUNT = 0
|
|
|
|
# Number of values to trust for X-Forwarded-Port.
|
|
PROXY_X_PORT_COUNT = 1
|
|
|
|
# Number of values to trust for X-Forwarded-Prefix.
|
|
PROXY_X_PREFIX_COUNT = 0
|
|
|
|
# NOTE: CSRF_SESSION_KEY, SECRET_KEY and SECURITY_PASSWORD_SALT are no
|
|
# longer part of the main configuration, but are stored in the
|
|
# configuration databases 'keys' table and are auto-generated.
|
|
|
|
# COMPRESSION
|
|
COMPRESS_MIMETYPES = [
|
|
'text/html', 'text/css', 'text/xml', 'text/javascript',
|
|
'application/json', 'application/javascript'
|
|
]
|
|
COMPRESS_LEVEL = 9
|
|
COMPRESS_MIN_SIZE = 500
|
|
|
|
# Set the cache control max age for static files in flask to 1 year
|
|
SEND_FILE_MAX_AGE_DEFAULT = 31556952
|
|
|
|
# This will be added to static urls as url parameter with value as
|
|
# APP_VERSION_INT for cache busting on version upgrade. If the value is set as
|
|
# None or empty string then it will not be added.
|
|
# eg - http:localhost:5050/pgadmin.css?intver=3.13
|
|
APP_VERSION_PARAM = 'ver'
|
|
|
|
# Add the internal version param to below extensions only
|
|
APP_VERSION_EXTN = ('.css', '.js', '.html', '.svg', '.png', '.gif', '.ico')
|
|
|
|
# Data directory for storage of config settings etc. This shouldn't normally
|
|
# need to be changed - it's here as various other settings depend on it.
|
|
# On Windows, we always store data in %APPDATA%\$(APP_WIN_PATH). On other
|
|
# platforms, if we're in server mode we use /var/lib/$(APP_PATH),
|
|
# otherwise ~/.$(APP_PATH)
|
|
if IS_WIN:
|
|
# Use the short path on windows
|
|
DATA_DIR = os.path.realpath(
|
|
os.path.join(fs_short_path(env('APPDATA')), APP_WIN_PATH)
|
|
)
|
|
else:
|
|
if SERVER_MODE:
|
|
DATA_DIR = os.path.join('/var/lib/', APP_PATH)
|
|
else:
|
|
DATA_DIR = os.path.realpath(
|
|
os.path.expanduser('~/' + '.' + APP_PATH + '/')
|
|
)
|
|
|
|
# An optional login banner to show security warnings/disclaimers etc. at
|
|
# login and password recovery etc. HTML may be included for basic formatting,
|
|
# For example:
|
|
# LOGIN_BANNER = "<h4>Authorised Users Only!</h4>" \
|
|
# "Unauthorised use is strictly forbidden."
|
|
LOGIN_BANNER = ""
|
|
|
|
##########################################################################
|
|
# Log settings
|
|
##########################################################################
|
|
|
|
# Debug mode?
|
|
DEBUG = False
|
|
|
|
# Application log level - one of:
|
|
# CRITICAL 50
|
|
# ERROR 40
|
|
# WARNING 30
|
|
# SQL 25
|
|
# INFO 20
|
|
# DEBUG 10
|
|
# NOTSET 0
|
|
CONSOLE_LOG_LEVEL = logging.WARNING
|
|
FILE_LOG_LEVEL = logging.WARNING
|
|
|
|
# Log format.
|
|
JSON_LOGGER = False
|
|
CONSOLE_LOG_FORMAT_JSON = OrderedDict([
|
|
("time", "asctime"),
|
|
("message", "message"),
|
|
("level", "levelname")
|
|
])
|
|
|
|
FILE_LOG_FORMAT_JSON = OrderedDict([
|
|
("time", "asctime"),
|
|
("message", "message"),
|
|
("level", "levelname")
|
|
])
|
|
|
|
|
|
CONSOLE_LOG_FORMAT = '%(asctime)s: %(levelname)s\t%(name)s:\t%(message)s'
|
|
FILE_LOG_FORMAT = '%(asctime)s: %(levelname)s\t%(name)s:\t%(message)s'
|
|
|
|
# Log file name. This goes in the data directory, except on non-Windows
|
|
# platforms in server mode.
|
|
if SERVER_MODE and not IS_WIN:
|
|
LOG_FILE = os.path.join('/var/log', APP_PATH, APP_SHORT_NAME + '.log')
|
|
else:
|
|
LOG_FILE = os.path.join(DATA_DIR, APP_SHORT_NAME + '.log')
|
|
|
|
# Log rotation setting
|
|
# Log file will be rotated considering values for LOG_ROTATION_SIZE
|
|
# & LOG_ROTATION_AGE. Rotated file will be named in format
|
|
# - LOG_FILE.Y-m-d_H-M-S
|
|
LOG_ROTATION_SIZE = 10 # In MBs
|
|
LOG_ROTATION_AGE = 1440 # In minutes
|
|
LOG_ROTATION_MAX_LOG_FILES = 90 # Maximum number of backups to retain
|
|
##########################################################################
|
|
# Server Connection Driver Settings
|
|
##########################################################################
|
|
|
|
# The default driver used for making connection with PostgreSQL
|
|
PG_DEFAULT_DRIVER = 'psycopg3'
|
|
|
|
# Maximum allowed idle time in minutes before which releasing the connection
|
|
# for the particular session. (in minutes)
|
|
MAX_SESSION_IDLE_TIME = 60
|
|
|
|
##########################################################################
|
|
# External Database Settings
|
|
#
|
|
# All configuration settings are stored by default in the SQLite database.
|
|
# In order to use external databases like PostgreSQL sets the value of
|
|
# CONFIG_DATABASE_URI like below:
|
|
# dialect+driver://username:password@host:port/database
|
|
#
|
|
# PostgreSQL:
|
|
# postgresql://username:password@host:port/database
|
|
# Specify Schema Name
|
|
# postgresql://username:password@host:port/database?options=-csearch_path=pgadmin
|
|
# Using PGPASS file
|
|
# postgresql://username@host:port?options=-csearch_path=pgadmin
|
|
##########################################################################
|
|
CONFIG_DATABASE_URI = ''
|
|
|
|
##########################################################################
|
|
# User account and settings storage
|
|
##########################################################################
|
|
|
|
# The default path to the SQLite database used to store user accounts and
|
|
# settings. This default places the file in the same directory as this
|
|
# config file, but generates an absolute path for use througout the app.
|
|
SQLITE_PATH = env('SQLITE_PATH') or \
|
|
os.path.join(DATA_DIR, APP_SHORT_NAME + '.db')
|
|
|
|
# SQLITE_TIMEOUT will define how long to wait before throwing the error -
|
|
# OperationError due to database lock. On slower system, you may need to change
|
|
# this to some higher value.
|
|
# (Default: 500 milliseconds)
|
|
SQLITE_TIMEOUT = 500
|
|
|
|
# Allow database connection passwords to be saved if the user chooses.
|
|
# Set to False to disable password saving.
|
|
ALLOW_SAVE_PASSWORD = True
|
|
|
|
# Maximum number of history queries stored per user/server/database
|
|
MAX_QUERY_HIST_STORED = 20
|
|
|
|
##########################################################################
|
|
# Server-side session storage path
|
|
#
|
|
# SESSION_DB_PATH (Default: $HOME/.pgadmin4/sessions)
|
|
##########################################################################
|
|
#
|
|
# We use SQLite for server-side session storage. There will be one
|
|
# SQLite database object per session created.
|
|
#
|
|
# Specify the path used to store your session objects.
|
|
#
|
|
# If the specified directory does not exist, the setup script will create
|
|
# it with permission mode 700 to keep the session database secure.
|
|
#
|
|
# On certain systems, you can use shared memory (tmpfs) for maximum
|
|
# scalability, for example, on Ubuntu:
|
|
#
|
|
# SESSION_DB_PATH = '/run/shm/pgAdmin4_session'
|
|
#
|
|
##########################################################################
|
|
SESSION_DB_PATH = os.path.join(DATA_DIR, 'sessions')
|
|
|
|
SESSION_COOKIE_NAME = 'pga4_session'
|
|
|
|
##########################################################################
|
|
# Mail server settings
|
|
##########################################################################
|
|
|
|
# These settings are used when running in web server mode for confirming
|
|
# and resetting passwords etc.
|
|
# See: http://pythonhosted.org/Flask-Mail/ for more info
|
|
MAIL_SERVER = 'localhost'
|
|
MAIL_PORT = 25
|
|
MAIL_USE_SSL = False
|
|
MAIL_USE_TLS = False
|
|
MAIL_USERNAME = ''
|
|
MAIL_PASSWORD = ''
|
|
MAIL_DEBUG = False
|
|
|
|
# Flask-Security overrides Flask-Mail's MAIL_DEFAULT_SENDER setting, so
|
|
# that should be set as such:
|
|
SECURITY_EMAIL_SENDER = 'no-reply@localhost'
|
|
|
|
##########################################################################
|
|
# Mail content settings
|
|
##########################################################################
|
|
|
|
# These settings define the content of password reset emails
|
|
SECURITY_EMAIL_SUBJECT_PASSWORD_RESET = "Password reset instructions for %s" \
|
|
% APP_NAME
|
|
SECURITY_EMAIL_SUBJECT_PASSWORD_NOTICE = "Your %s password has been reset" \
|
|
% APP_NAME
|
|
SECURITY_EMAIL_SUBJECT_PASSWORD_CHANGE_NOTICE = \
|
|
"Your password for %s has been changed" % APP_NAME
|
|
|
|
##########################################################################
|
|
# Email address validation
|
|
##########################################################################
|
|
CHECK_EMAIL_DELIVERABILITY = False
|
|
SECURITY_EMAIL_VALIDATOR_ARGS = \
|
|
{"check_deliverability": CHECK_EMAIL_DELIVERABILITY}
|
|
|
|
##########################################################################
|
|
# Upgrade checks
|
|
##########################################################################
|
|
|
|
# Check for new versions of the application?
|
|
UPGRADE_CHECK_ENABLED = True
|
|
|
|
# Where should we get the data from?
|
|
UPGRADE_CHECK_URL = 'https://www.pgadmin.org/versions.json'
|
|
|
|
# What key should we look at in the upgrade data file?
|
|
UPGRADE_CHECK_KEY = 'pgadmin4'
|
|
|
|
# Which CA file should we use?
|
|
# Default to cacert.pem in the same directory as config.py et al.
|
|
CA_FILE = os.path.join(os.path.dirname(os.path.realpath(__file__)),
|
|
"cacert.pem")
|
|
|
|
# Check if the detected browser is supported
|
|
CHECK_SUPPORTED_BROWSER = True
|
|
|
|
##########################################################################
|
|
# Storage Manager storage url config settings
|
|
# If user sets STORAGE_DIR to empty it will show all volumes if platform
|
|
# is Windows, '/' if it is Linux, Mac or any other unix type system.
|
|
|
|
# For example:
|
|
# 1. STORAGE_DIR = get_drive("C") or get_drive() # return C:/ by default
|
|
# where C can be any drive character such as "D", "E", "G" etc
|
|
# 2. Set path manually like
|
|
# STORAGE_DIR = "/path/to/directory/"
|
|
##########################################################################
|
|
STORAGE_DIR = os.path.join(DATA_DIR, 'storage')
|
|
|
|
##########################################################################
|
|
# Default locations for binary utilities (pg_dump, pg_restore etc)
|
|
#
|
|
# These are intentionally left empty in the main config file, but are
|
|
# expected to be overridden by packagers in config_distro.py.
|
|
#
|
|
# A default location can be specified for each database driver ID, in
|
|
# a dictionary. Either an absolute or relative path can be specified.
|
|
#
|
|
# Version-specific defaults can also be specified, which will take priority
|
|
# over un-versioned paths.
|
|
#
|
|
# In cases where it may be difficult to know what the working directory
|
|
# is, "$DIR" can be specified. This will be replaced with the path to the
|
|
# top-level pgAdmin4.py file. For example, on macOS we might use:
|
|
#
|
|
# $DIR/../../SharedSupport
|
|
#
|
|
##########################################################################
|
|
DEFAULT_BINARY_PATHS = {
|
|
"pg": "",
|
|
"pg-12": "",
|
|
"pg-13": "",
|
|
"pg-14": "",
|
|
"pg-15": "",
|
|
"pg-16": "",
|
|
"pg-17": "",
|
|
"ppas": "",
|
|
"ppas-12": "",
|
|
"ppas-13": "",
|
|
"ppas-14": "",
|
|
"ppas-15": "",
|
|
"ppas-16": "",
|
|
"ppas-17": ""
|
|
}
|
|
|
|
##########################################################################
|
|
|
|
# Admin can specify fixed binary paths to prevent users from changing.
|
|
# It will take precedence over DEFAULT_BINARY_PATHS.
|
|
|
|
FIXED_BINARY_PATHS = {
|
|
"pg": "",
|
|
"pg-12": "",
|
|
"pg-13": "",
|
|
"pg-14": "",
|
|
"pg-15": "",
|
|
"pg-16": "",
|
|
"pg-17": "",
|
|
"ppas": "",
|
|
"ppas-12": "",
|
|
"ppas-13": "",
|
|
"ppas-14": "",
|
|
"ppas-15": "",
|
|
"ppas-16": "",
|
|
"ppas-17": ""
|
|
}
|
|
|
|
##########################################################################
|
|
# Test settings - used primarily by the regression suite, not for users
|
|
##########################################################################
|
|
|
|
# The default path for SQLite database for testing
|
|
TEST_SQLITE_PATH = os.path.join(DATA_DIR, 'test_pgadmin4.db')
|
|
|
|
##########################################################################
|
|
# Allows flask application to response to the each request asynchronously
|
|
##########################################################################
|
|
THREADED_MODE = True
|
|
|
|
##########################################################################
|
|
# Do not allow SQLALCHEMY to track modification as it is going to be
|
|
# deprecated in future
|
|
##########################################################################
|
|
SQLALCHEMY_TRACK_MODIFICATIONS = False
|
|
|
|
##########################################################################
|
|
# Number of records to fetch in one batch in query tool when query result
|
|
# set is large.
|
|
##########################################################################
|
|
ON_DEMAND_RECORD_COUNT = 1000
|
|
|
|
##########################################################################
|
|
# Allow users to display Gravatar image for their username in Server mode
|
|
##########################################################################
|
|
SHOW_GRAVATAR_IMAGE = True
|
|
|
|
##########################################################################
|
|
# Set cookie path and options
|
|
##########################################################################
|
|
COOKIE_DEFAULT_PATH = '/'
|
|
COOKIE_DEFAULT_DOMAIN = None
|
|
SESSION_COOKIE_DOMAIN = None
|
|
SESSION_COOKIE_SAMESITE = 'Lax'
|
|
SESSION_COOKIE_SECURE = False
|
|
SESSION_COOKIE_HTTPONLY = True
|
|
|
|
#########################################################################
|
|
# Skip storing session in files and cache for specific paths
|
|
#########################################################################
|
|
SESSION_SKIP_PATHS = [
|
|
'/misc/ping'
|
|
]
|
|
|
|
##########################################################################
|
|
# Session expiration support
|
|
##########################################################################
|
|
# SESSION_EXPIRATION_TIME is the interval in Days. Session will be
|
|
# expire after the specified number of *days*.
|
|
SESSION_EXPIRATION_TIME = 1
|
|
|
|
# Make SESSION_EXPIRATION_TIME to 1 week in DESKTOP mode
|
|
if not SERVER_MODE:
|
|
SESSION_EXPIRATION_TIME = 7
|
|
|
|
# CHECK_SESSION_FILES_INTERVAL is interval in Hours. Application will check
|
|
# the session files for cleanup after specified number of *hours*.
|
|
CHECK_SESSION_FILES_INTERVAL = 24
|
|
|
|
# USER_INACTIVITY_TIMEOUT is interval in Seconds. If the pgAdmin screen is left
|
|
# unattended for <USER_INACTIVITY_TIMEOUT> seconds then the user will
|
|
# be logged out. When set to 0, the timeout will be disabled.
|
|
# If pgAdmin doesn't detect any activity in the time specified (in seconds),
|
|
# the user will be forcibly logged out from pgAdmin. Set to zero to disable
|
|
# the timeout.
|
|
# Note: This is applicable only for SERVER_MODE=True.
|
|
USER_INACTIVITY_TIMEOUT = 0
|
|
|
|
# OVERRIDE_USER_INACTIVITY_TIMEOUT when set to True will override
|
|
# USER_INACTIVITY_TIMEOUT when long running queries in the Query Tool
|
|
# or Debugger are running. When the queries complete, the inactivity timer
|
|
# will restart in this case. If set to False, user inactivity may cause
|
|
# transactions or in-process debugging sessions to be aborted.
|
|
OVERRIDE_USER_INACTIVITY_TIMEOUT = True
|
|
|
|
##########################################################################
|
|
# SSH Tunneling supports only for Python 2.7 and 3.4+
|
|
##########################################################################
|
|
SUPPORT_SSH_TUNNEL = True
|
|
# Allow SSH Tunnel passwords to be saved if the user chooses.
|
|
# Set to False to disable password saving.
|
|
ALLOW_SAVE_TUNNEL_PASSWORD = False
|
|
|
|
##########################################################################
|
|
# Master password is used to encrypt/decrypt saved server passwords
|
|
# Applicable for desktop mode only
|
|
##########################################################################
|
|
MASTER_PASSWORD_REQUIRED = True
|
|
USE_OS_SECRET_STORAGE = True
|
|
##########################################################################
|
|
|
|
# pgAdmin encrypts the database connection and ssh tunnel password using a
|
|
# master password or pgAdmin login password (for other authentication sources)
|
|
# before storing it in the pgAdmin configuration database.
|
|
#
|
|
# Below setting is used to allow the user to specify the path to a script
|
|
# or program that will return an encryption key which will be used to
|
|
# encrypt the passwords. This setting is used only in server mode when
|
|
# auth sources are oauth, Kerberos, and webserver.
|
|
#
|
|
# You can pass the current username as an argument to the external script
|
|
# by specifying %u in config value.
|
|
# E.g. - MASTER_PASSWORD_HOOK = '<PATH>/passwdgen_script.sh %u'
|
|
##########################################################################
|
|
MASTER_PASSWORD_HOOK = None
|
|
|
|
##########################################################################
|
|
|
|
# Allows pgAdmin4 to create session cookies based on IP address, so even
|
|
# if a cookie is stolen, the attacker will not be able to connect to the
|
|
# server using that stolen cookie.
|
|
# Note: This can cause problems when the server is deployed in dynamic IP
|
|
# address hosting environments, such as Kubernetes or behind load
|
|
# balancers. In such cases, this option should be set to False.
|
|
##########################################################################
|
|
ENHANCED_COOKIE_PROTECTION = True
|
|
|
|
##########################################################################
|
|
# External Authentication Sources
|
|
##########################################################################
|
|
|
|
# Default setting is internal
|
|
# External Supported Sources: ldap, kerberos, oauth2
|
|
# Multiple authentication can be achieved by setting this parameter to
|
|
# ['ldap', 'internal'] or ['oauth2', 'internal'] or
|
|
# ['webserver', 'internal'] etc.
|
|
# pgAdmin will authenticate the user with ldap/oauth2 whatever first in the
|
|
# list, in case of failure the second authentication option will be considered.
|
|
|
|
AUTHENTICATION_SOURCES = ['internal']
|
|
|
|
##########################################################################
|
|
# MAX_LOGIN_ATTEMPTS which sets the number of failed login attempts that
|
|
# are allowed. If this value is exceeded the account is locked and can be
|
|
# reset by an administrator. By setting the variable to the value zero
|
|
# this feature is deactivated.
|
|
##########################################################################
|
|
MAX_LOGIN_ATTEMPTS = 3
|
|
|
|
##########################################################################
|
|
# Only consider password to check the failed login attempts, email is
|
|
# excluded from this check
|
|
LOGIN_ATTEMPT_FIELDS = ['password']
|
|
##########################################################################
|
|
# LDAP Configuration
|
|
##########################################################################
|
|
|
|
# After ldap authentication, user will be added into the SQLite database
|
|
# automatically, if set to True.
|
|
# Set it to False, if user should not be added automatically,
|
|
# in this case Admin has to add the user manually in the SQLite database.
|
|
LDAP_AUTO_CREATE_USER = True
|
|
|
|
# Connection timeout
|
|
LDAP_CONNECTION_TIMEOUT = 10
|
|
|
|
# Server connection details (REQUIRED)
|
|
# example: ldap://<ip-address>:<port> or ldap://<hostname>:<port>
|
|
LDAP_SERVER_URI = 'ldap://<ip-address>:<port>'
|
|
|
|
# The LDAP attribute containing user names. In OpenLDAP, this may be 'uid'
|
|
# whilst in AD, 'sAMAccountName' might be appropriate. (REQUIRED)
|
|
LDAP_USERNAME_ATTRIBUTE = '<User-id>'
|
|
|
|
##########################################################################
|
|
# 3 ways to configure LDAP as follows (Choose anyone):
|
|
|
|
# 1. Dedicated User binding
|
|
|
|
# LDAP Bind User DN Example: cn=username,dc=example,dc=com
|
|
# Set this parameter to allow the connection to bind using a dedicated user.
|
|
# After the connection is made, the pgadmin login user will be further
|
|
# authenticated by the username and password provided
|
|
# at the login screen.
|
|
LDAP_BIND_USER = None
|
|
|
|
# LDAP Bind User Password
|
|
LDAP_BIND_PASSWORD = None
|
|
|
|
# OR ####################
|
|
# 2. Anonymous Binding
|
|
|
|
# Set this parameter to allow the anonymous bind.
|
|
# After the connection is made, the pgadmin login user will be further
|
|
# authenticated by the username and password provided
|
|
|
|
LDAP_ANONYMOUS_BIND = False
|
|
|
|
# OR ####################
|
|
# 3. Bind as pgAdmin user
|
|
|
|
# BaseDN (REQUIRED)
|
|
# AD example:
|
|
# (&(objectClass=user)(memberof=CN=MYGROUP,CN=Users,dc=example,dc=com))
|
|
# OpenLDAP example: CN=Users,dc=example,dc=com
|
|
LDAP_BASE_DN = '<Base-DN>'
|
|
|
|
# Configure the bind format string
|
|
# Default: LDAP_BIND_FORMAT="
|
|
# {LDAP_USERNAME_ATTRIBUTE}={LDAP_USERNAME},{LDAP_BASE_DN}"
|
|
# The current available options are:
|
|
# LDAP_USERNAME_ATTRIBUTE, LDAP_USERNAME, LDAP_BASE_DN
|
|
# Example: LDAP_BIND_FORMAT="myldapuser@sales.example.com"
|
|
# LDAP_BIND_FORMAT="NET\\myldapuser"
|
|
LDAP_BIND_FORMAT = '{LDAP_USERNAME_ATTRIBUTE}={LDAP_USERNAME},{LDAP_BASE_DN}'
|
|
|
|
##########################################################################
|
|
|
|
# Search ldap for further authentication (REQUIRED)
|
|
# It can be optional while bind as pgAdmin user
|
|
LDAP_SEARCH_BASE_DN = '<Search-Base-DN>'
|
|
|
|
# The LDAP attribute indicates whether the DN (Distinguished Names)
|
|
# are case sensitive or not
|
|
LDAP_DN_CASE_SENSITIVE = False
|
|
|
|
# Filter string for the user search.
|
|
# For OpenLDAP, '(cn=*)' may well be enough.
|
|
# For AD, you might use '(objectClass=user)' (REQUIRED)
|
|
LDAP_SEARCH_FILTER = '(objectclass=*)'
|
|
|
|
# Search scope for users (one of BASE, LEVEL or SUBTREE)
|
|
LDAP_SEARCH_SCOPE = 'SUBTREE'
|
|
|
|
# Use TLS? If the URI scheme is ldaps://, this is ignored.
|
|
LDAP_USE_STARTTLS = False
|
|
|
|
# TLS/SSL certificates. Specify if required, otherwise leave empty
|
|
LDAP_CA_CERT_FILE = ''
|
|
LDAP_CERT_FILE = ''
|
|
LDAP_KEY_FILE = ''
|
|
|
|
##########################################################################
|
|
|
|
# Some flaky LDAP servers returns malformed schema. If True, no exception
|
|
# will be raised and schema is thrown away but authentication will be done.
|
|
# This parameter should remain False, as recommended.
|
|
LDAP_IGNORE_MALFORMED_SCHEMA = False
|
|
|
|
##########################################################################
|
|
# Kerberos Configuration
|
|
##########################################################################
|
|
|
|
KRB_APP_HOST_NAME = DEFAULT_SERVER
|
|
|
|
# If the default_keytab_name is not set in krb5.conf or
|
|
# the KRB_KTNAME environment variable is not set then, explicitly set
|
|
# the Keytab file
|
|
|
|
KRB_KTNAME = '<KRB5_KEYTAB_FILE>'
|
|
|
|
# After kerberos authentication, user will be added into the SQLite database
|
|
# automatically, if set to True.
|
|
# Set it to False, if user should not be added automatically,
|
|
# in this case Admin has to add the user manually in the SQLite database.
|
|
|
|
KRB_AUTO_CREATE_USER = True
|
|
|
|
KERBEROS_CCACHE_DIR = os.path.join(DATA_DIR, 'krbccache')
|
|
|
|
#############################################################################
|
|
# Create local directory to store azure credential cache
|
|
#############################################################################
|
|
|
|
AZURE_CREDENTIAL_CACHE_DIR = os.path.join(DATA_DIR, 'azurecredentialcache')
|
|
|
|
##########################################################################
|
|
# OAuth2 Configuration
|
|
##########################################################################
|
|
|
|
# Multiple OAUTH2 providers can be added in the list like [{...},{...}]
|
|
# All parameters are required
|
|
|
|
OAUTH2_CONFIG = [
|
|
{
|
|
# The name of the of the oauth provider, ex: github, google
|
|
'OAUTH2_NAME': None,
|
|
# The display name, ex: Google
|
|
'OAUTH2_DISPLAY_NAME': '<Oauth2 Display Name>',
|
|
# Oauth client id
|
|
'OAUTH2_CLIENT_ID': None,
|
|
# Oauth secret
|
|
'OAUTH2_CLIENT_SECRET': None,
|
|
# URL to generate a token,
|
|
# Ex: https://github.com/login/oauth/access_token
|
|
'OAUTH2_TOKEN_URL': None,
|
|
# URL is used for authentication,
|
|
# Ex: https://github.com/login/oauth/authorize
|
|
'OAUTH2_AUTHORIZATION_URL': None,
|
|
# server metadata url might optional for your provider
|
|
'OAUTH2_SERVER_METADATA_URL': None,
|
|
# Oauth base url, ex: https://api.github.com/
|
|
'OAUTH2_API_BASE_URL': None,
|
|
# Name of the Endpoint, ex: user
|
|
'OAUTH2_USERINFO_ENDPOINT': None,
|
|
# Oauth scope, ex: 'openid email profile'
|
|
# Note that an 'email' claim is required in the resulting profile
|
|
'OAUTH2_SCOPE': None,
|
|
# The claim which is used for the username. If the value is empty the
|
|
# email is used as username, but if a value is provided,
|
|
# the claim has to exist.
|
|
'OAUTH2_USERNAME_CLAIM': None,
|
|
# Font-awesome icon, ex: fa-github
|
|
'OAUTH2_ICON': None,
|
|
# UI button colour, ex: #0000ff
|
|
'OAUTH2_BUTTON_COLOR': None,
|
|
# The additional claims to check on user ID Token or Userinfo response.
|
|
# This is useful to provide additional authorization checks
|
|
# before allowing access.
|
|
# Example for GitLab: allowing all maintainers teams, and a specific
|
|
# developers group to access pgadmin:
|
|
# 'OAUTH2_ADDITIONAL_CLAIMS': {
|
|
# 'https://gitlab.org/claims/groups/maintainer': [
|
|
# 'kuberheads/applications',
|
|
# 'kuberheads/dba',
|
|
# 'kuberheads/support'
|
|
# ],
|
|
# 'https://gitlab.org/claims/groups/developer': [
|
|
# 'kuberheads/applications/team01'
|
|
# ],
|
|
# }
|
|
# Example for AzureAD:
|
|
# 'OAUTH2_ADDITIONAL_CLAIMS': {
|
|
# 'groups': ["0760b6cf-170e-4a14-91b3-4b78e0739963"],
|
|
# 'wids': ["cf1c38e5-3621-4004-a7cb-879624dced7c"],
|
|
# }
|
|
'OAUTH2_ADDITIONAL_CLAIMS': None,
|
|
# Set this variable to False to disable SSL certificate verification
|
|
# for OAuth2 provider.
|
|
# This may need to set False, in case of self-signed certificates.
|
|
# Ref: https://github.com/psf/requests/issues/6071
|
|
'OAUTH2_SSL_CERT_VERIFICATION': True,
|
|
# set this variable to invalidate the session of the oauth2 provider
|
|
# Example for keycloak:
|
|
# 'OAUTH2_LOGOUT_URL':
|
|
# 'https://example.com/realms/master/protocol/openid-connect/logout?post_logout_redirect_uri={redirect_uri}&id_token_hint={id_token}'
|
|
'OAUTH2_LOGOUT_URL': None
|
|
}
|
|
]
|
|
|
|
# After Oauth authentication, user will be added into the SQLite database
|
|
# automatically, if set to True.
|
|
# Set it to False, if user should not be added automatically,
|
|
# in this case Admin has to add the user manually in the SQLite database.
|
|
|
|
OAUTH2_AUTO_CREATE_USER = True
|
|
|
|
##########################################################################
|
|
# Webserver Configuration
|
|
##########################################################################
|
|
|
|
WEBSERVER_AUTO_CREATE_USER = True
|
|
|
|
# REMOTE_USER variable will be used to check the environment variable
|
|
# is set or not first, if not available,
|
|
# request header will be checked for the same.
|
|
# Possible values: REMOTE_USER, HTTP_X_FORWARDED_USER, X-Forwarded-User
|
|
|
|
WEBSERVER_REMOTE_USER = 'REMOTE_USER'
|
|
|
|
##########################################################################
|
|
# Two-factor Authentication Configuration
|
|
##########################################################################
|
|
|
|
# Set it to True, to enable the two-factor authentication
|
|
MFA_ENABLED = True
|
|
|
|
# Set it to True, to ask the users to register forcefully for the
|
|
# two-authentication methods on logged-in.
|
|
MFA_FORCE_REGISTRATION = False
|
|
|
|
# pgAdmin supports Two-factor authentication by either sending an one-time code
|
|
# to an email, or using the TOTP based application like Google Authenticator.
|
|
MFA_SUPPORTED_METHODS = ["email", "authenticator"]
|
|
|
|
# NOTE: Please set the 'Mail server settings' to use 'email' as two-factor
|
|
# authentication method.
|
|
|
|
# Subject for the email verification code
|
|
# Default: <APP_NAME> - Verification Code
|
|
# e.g. pgAdmin 4 - Verification Code
|
|
MFA_EMAIL_SUBJECT = None
|
|
|
|
##########################################################################
|
|
# PSQL tool settings
|
|
##########################################################################
|
|
# This will enable PSQL tool in pgAdmin when running in server mode.
|
|
# PSQL is always enabled in Desktop mode, however in server mode it is
|
|
# disabled by default because users can run arbitrary commands on the
|
|
# server through it.
|
|
ENABLE_PSQL = False
|
|
|
|
##########################################################################
|
|
# ENABLE_BINARY_PATH_BROWSING setting is used to enable the browse button
|
|
# while selecting binary path for the database server in server mode.
|
|
# In Desktop mode it is always enabled and setting is of no use.
|
|
##########################################################################
|
|
ENABLE_BINARY_PATH_BROWSING = False
|
|
|
|
##########################################################################
|
|
# In server mode, the SHARED_STORAGE setting is used to enable shared storage.
|
|
# Specify the name, path, and restricted_access values that should be shared
|
|
# between users. When restricted_access is set to True, non-admin users cannot
|
|
# upload/add, delete, or rename files/folders in shared storage, only admins
|
|
# can do that. Users must provide the absolute path to the folder, and the name
|
|
# can be anything they see on the user interface.
|
|
# [{ 'name': 'Shared 1', 'path': '/shared_folder',
|
|
# 'restricted_access': True/False}]
|
|
##########################################################################
|
|
SHARED_STORAGE = []
|
|
|
|
#############################################################################
|
|
# AUTO_DISCOVER_SERVERS setting is used to enable the pgAdmin to discover the
|
|
# database server automatically on the local machine.
|
|
# When it is set to False, pgAdmin will not discover servers installed on
|
|
# the local machine.
|
|
#############################################################################
|
|
AUTO_DISCOVER_SERVERS = True
|
|
|
|
#############################################################################
|
|
# SERVER_HEARTBEAT_TIMEOUT is used to send the server heartbeat to server
|
|
# from the client. This will resolve the orphan database issue once
|
|
# browser tab is closed.
|
|
#############################################################################
|
|
SERVER_HEARTBEAT_TIMEOUT = 30 # In seconds
|
|
|
|
#############################################################################
|
|
# ENABLE_SERVER_PASS_EXEC_CMD is used to enable/disable Password exec command
|
|
# field in server properties. This is used to specify a shell command to be
|
|
# executed to retrieve a password to be used for server authentication.
|
|
# This setting is applicable only for server mode.
|
|
#############################################################################
|
|
ENABLE_SERVER_PASS_EXEC_CMD = False
|
|
|
|
#############################################################################
|
|
# Number of records to fetch in one batch for server logs.
|
|
##############################################################################
|
|
|
|
ON_DEMAND_LOG_COUNT = 10000
|
|
|
|
#############################################################################
|
|
# Patch the default config with custom config and other manipulations
|
|
#############################################################################
|
|
from pgadmin.evaluate_config import evaluate_and_patch_config
|
|
locals().update(evaluate_and_patch_config(locals()))
|