Odoo Server (MOVED TO GITHUB)

[7.0] Dumping/restoring databases prompts for password via server console on non-Windows platforms

Bug #1124440 reported by Brendan Clune (Logic Supply)
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Odoo Server (MOVED TO GITHUB)
Fix Released
High
OpenERP's Framework R&D
Odoo Server (MOVED TO GITHUB) 7.0

Bug Description

When postgres is configured to access a database via TCP and not a local Unix socket, the user is prompted for a password via the server console when dumping or restoring databases from the web interface.

The relevant code lives in openerp/service/web_services.py. Revision 4424 refactored the code that sets PGPASSWORD; the current implementation sets this environment variable only on Windows machines.

The previous code block included comments with a "FIXME" suggesting that setting the PGPASSWORD environment variable was not particularly secure on Unix machines, particularly for SaaS boxes. It is possible that alternate postgres configurations can authenticate the openerp user without a password even over TCP. (A .pgpass file should work for this, but is not automatically created by OpenERP.) However, this bug is still a regression from 6.1.

I propose two possible solutions:

1. Give the pg_dump and pg_restore commands the "--no-password" flag to prevent them from waiting for input at the server console. Both commands will work if there is a passwordless method of authentication available, but will fail immediately if not. This prevents the "Still loading" screen from displaying on the frontend until the password dialog times out at the console.

2. In addition to the above, re-enable setting the PGPASSWORD environment variable on Unix systems.

I am happy to provide a patch for either solution, but I am not sure whether re-enabling the PGPASSWORD functionality on Unix systems is a good idea.

See original description
Tags: postgres
Brendan Clune (Logic Supply) (brendan-clune)
description: updated
Revision history for this message
Brendan Clune (Logic Supply) (brendan-clune) wrote :

This patch adds the --no-password flag to pg_dump and pg_restore. It also updates the error message received when a dump/restore fails to suggest a .pgpass file in addition to checking that the db_password is specified in the configuration file.

Jignesh Rathod(OpenERP) (jir-openerp)
Changed in openobject-server:
assignee: nobody → OpenERP's Framework R&D (openerp-dev-framework)
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Olivier Dony (Odoo) (odo-openerp) wrote :

Hi Brendan,

Your analysis and propositions are quite correct, thank you. The regression introduced at revision 4424 was corrected in 7.0 at revision 4893[1], though identified as a direct regression for bug 790164. I failed to notice that your bug report was also related, otherwise I would have closed it as well.

Your patch is very good, however we cannot apply the `--no-password` part in OpenERP 7.0 because we are maintaining compatibility with PostgreSQL 8.3, and the pg_* utilities only have this parameter as of PG 8.4. This also explains why we haven't used `--no-password` so far.

The minimum PG version for the next OpenERP stable release has not been determined yet, so I cannot yet say when we'll accept the patch in trunk. I don't know of any other mechanism to stop pg_* (8.3) from displaying the password prompt.

I have however applied the second part of your patch (corrected error message) at revision 4900[2], credited to you.

Thanks for your detailed bug report and patch!

PS: I'm not marking this bug as a duplicate of bug 790164 because the visible result has actually change since then. This one is closer to be a duplicate of bug 1155523, though it covers another part of the regression, so let's have it stand on its own.

[1] server 7.0, revision-id: <email address hidden>
[2] server 7.0, revision-id: <email address hidden>

Changed in openobject-server:
importance: Medium → High
milestone: none → 7.0
status: Confirmed → Fix Released
summary: - Dumping/restoring databases prompts for password via server console
+ [7.0] Dumping/restoring databases prompts for password via server
+ console on non-Windows platforms
Revision history for this message
Mike C. (miguelmclara-c) wrote :

I'm having the same problem on Windows 7, I created a test database but still get the same error!

The log doesn't provide much help (test dadtabase default admin pass):

2013-04-02 15:09:46,292 2228 INFO ? werkzeug: 127.0.0.1 - - [02/Apr/2013 15:09:46] "POST /web/database/get_list HTTP/1.1" 200 -
2013-04-02 15:09:46,687 2228 INFO ? werkzeug: 127.0.0.1 - - [02/Apr/2013 15:09:46] "POST /web/session/get_lang_list HTTP/1.1" 200 -
2013-04-02 15:09:56,904 2228 ERROR ? openerp.addons.web.http.HttpRequest.dispatch: An error occurred while handling a json request
Traceback (most recent call last):
  File "D:\Program Files (x86)\OpenERP 7.0\Server\server\openerp\addons\web\http.py", line 284, in dispatch
TypeError: backup() got an unexpected keyword argument ''
2013-04-02 15:09:57,006 2228 INFO ? werkzeug: 127.0.0.1 - - [02/Apr/2013 15:09:57] "GET /web/database/backup?token=1364915396858&backup_db=test&backup_pwd=admin&=&session_id=bb45f514a4144ff3a883991ae0463920 HTTP/1.1" 500 -

I see HTTP status 500... but nothing more...

Revision history for this message
Mike C. (miguelmclara-c) wrote :

Just noticed this part:
TypeError: backup() got an unexpected keyword argument ''

Could it be related?

Revision history for this message
Brendan Clune (Logic Supply) (brendan-clune) wrote :

Mike,

I'm not sure that your error is related, but it's certainly possible. What version and revision number are you using for server, addons, and web? What database configuration are you using?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.