Closed hrawulwa closed 2 years ago
Hi,
powa-web doesn't have any additional authentication layer on top of postgres authentication: connecting to powa-web means connecting to postgres. So if you can connect to powa-web without providing a password and without storing the credentials in powa-web.conf, it means that the authentication configuration on the target database allows it. It could be due to pg_hba.conf allowing it, maybe for the powa-web host specifically or not, or something else like a .pgpass available for the user running powa-web.
In any case, this is external to powa-web itself.
I'm able to resolve this myself. Basically pg_hba.conf file was using trust authentication for localhost. So, I modified to use the IP address in the powa-web.conf instead of localhost. It worked after this modification.
Thanks Hari
Great, thanks for the confirmation!
Looks like our messages criss crossed. Yes, you are correct about the pg_hba.conf file. Thanks agaiin.
Hello, When accessing the Powa Web, it is allowing me to login i) without providing any username and password ii) when providing only username and null password
The only time it is trying to authenticate is when issuing wrong username and it displays Auth failed message. But the first two points, it is serious security issue.
I have a remote setup, and have powa-collector-1.1.1 and powa-web-4.1.1. running on single server. I thought pg_hba.conf file will also be used to authenticate the Web, but does not seem to be.
How do I enforce username and password requirements correctly? Please advise.
[postgres@sl73pgtldbp002 powa-web-4.1.1]$ cat powa-web.conf
servers={ 'main': { 'host': 'localhost', 'port': '5432', 'database': 'powa', 'query': {'client_encoding': 'utf8'} } } cookie_secret="SUPERSECRET_THAT_YOU_SHOULD_CHANGE"
Some extra options you can set
#
port on which the UI should be available.
port=8888
Address on which the UI should be available on
address=0.0.0.0
Forbid UI to connect to databases globally (can be configured per server)
allow_ui_connection=False
Custom URL prefix the UI should be available on
url_prefix="/"
Thanks Hari