PostGIS connection: QGIS tries to connect with system username even if DB username/password are used #42439
Comments
Virvis
added
the
Bug
gioman
changed the title
gioman
changed the title
|
Seems weird to me that QGIS by itself tries a connection with a credential that is not the one stored in the connection. Do you store username and password when creating a PostGIS connection? what if you try to convert to (authentication) configuration instead? |
gioman
added
Feedback
|
When connection first time it asks for the username and password, then filling those but not saving to anywhere. Then it makes this problem. I have been able to pass when using authentication. |
@Virvis so gthe problem you describe is when you don't save username and password, correct? and is ok when using the (authentication) configuration, correct? do you know that you can share the (authentication) configuration with other computers (and this way the users will use it will never know the real credentials)? |
|
Yes. Problem when I do not save credentials. I have not tested if I save them "as plain text" as one option is when creating new connection. I know that I can share authentication between computers, but I want that everyone has own credentials, not the same ones. I could of course set like everyone has auth with same tag (ID) in the authentication settings, but it feels too complicated when we have quite many people in different location. It should not be such hard to connnect on database :) |
just ask everyone to create a connection with their credential, store it, then make it an auth config. Where is the problem with it? |
|
@Virvis even from the postgresql CLI interface (psql) if you omit the -U parameter (the user) it tries to connect with the system username, this has nothing to do with QGIS. |
We do it exactly like this: all users have their own user role and password, but by using the same authid the users are able to open the project with their own credentials. You have to "educate" your users in the beginning, but once they get it, it works fine. Do you have a better idea how to do it? The other thing that @gioman mentioned is a libpq thing. QGIS uses libpq (the standard PostgreSQL library) and inherits its behavior. libpq automatically uses the local user account, if the username is omitted. If you want to change the behavior of libpq, you have to open an issue with the PostgreSQL project. |
|
I will do the auth-trick from now. Everyone should have same auth-id and own credentials saved there. It works. My "problem" is still same: without authing, user will get blocked from db. Username is not omitted then? Thing I didn't mention earlier, I have set that connection requir to SSL. |
@Virvis if you omit the username the system username is used, but this is not QGIS behavior is libpq's one, which QGIS uses in its PostgreSQL provider. |
|
But when correct username + password is offered and used, QGIS still sends system username to database. |
@Virvis offered but NOT saved, correct? |
|
Correct. |
gioman
changed the title
@Virvis I guess you can say that. I edited the title, make sense? |
|
Yes, I think it is correctly said :) |
|
Comment one mone thing. |
|
The QGIS project highly values your report and would love to see it addressed. However, this issue has been left in feedback mode for the last 14 days and is being automatically marked as "stale". |
github-actions
bot
added
the
stale
gioman
removed
Feedback
|
This is a real issue. When I load a QGis map on Windows (where my user name does NOT match the Postgres user name) which I have saved on Linux (where my username matches the Postgres name) then the first layer of each database complains about the non existing role (the Windows username) with a username/password dialog. When I enter the correct username and leave the password empty then the other layers load fine. Setting environment variable PGUSER to the correct Postgres username fixes this issue. Somewhere the authcfg username is not used, but the password IS? EDIT: The root cause is that the authcfg ID is different on the Windows machine, so that explains why we have to enter the username. It is unclear why the password does not have to be entered. EDIT2: When I enter a wrong password the layer is still loading correctly. So it is reusing an existing connection, but passing no username, and libpq adds the system account name. |
gioman
changed the title
Fix qgis#42439 When a user configures a PostGIS connection and loads a project from this database, then often the authcfg id in the saved project is different from the local authcfg id with correct PostgreSQL credentials. This is no problem when the PGUSER environment variable matches the PostgreSQL user in the saved and local authcfg or the OS username matches. This works because PQconnectdb() just needs a username when a previous connect with the same username/password was succesfull. This patch saves a PostgreSQL username when one is supplied and uses it when the username is not known.
Fix qgis#42439 When a user configures a PostGIS connection and loads a QGIS project from this database, then often the authcfg id in the saved project is different from the local authcfg id with correct PostgreSQL credentials. This is no problem when the PGUSER environment variable matches the PostgreSQL user in the saved and local authcfg or the OS username matches. This works because PQconnectdb() just needs a username (either explicit or implicit from PGUSER or the OS username) when a previous connect with the same username and a password was successful. This patch saves a PostgreSQL username when one is supplied and uses it when the username is not known. In most cases this prevents that the user must enter his username in one or more Authentication dialogs.
Fix qgis#42439 When a user configures a PostGIS connection and loads a QGIS project from this database, then often the authcfg id in the saved project is different from the local authcfg id with correct PostgreSQL credentials. This is no problem when the PGUSER environment variable matches the PostgreSQL user in the saved and local authcfg or the OS username matches. This works because PQconnectdb() just needs a username (either explicit or implicit from PGUSER or the OS username) when a previous connect with the same username and a password was successful. This patch saves a PostgreSQL username when one is supplied and uses it when the username is not known. In most cases this prevents that the user must enter his username in one or more Authentication dialogs.
Fix qgis#42439 When a user configures a PostGIS connection and loads a QGIS project from this database, then often the authcfg id in the saved project is different from the local authcfg id with correct PostgreSQL credentials. This is no problem when the PGUSER environment variable matches the PostgreSQL user in the saved and local authcfg or the OS username matches. This works because PQconnectdb() just needs a username (either explicit or implicit from PGUSER or the OS username) when a previous connect with the same username and a password was successful. This patch saves a PostgreSQL username when one is supplied and uses it when the username is not known. In most cases this prevents that the user must enter his username in one or more Authentication dialogs.
|
the problem may be in IP of localhost, which changed and QGIS is trying to connect to old one |
I set up remote postgis database. I also made fail2ban firewall for it to protect from malicious connections.
Fail2ban search for /var/log/postgresql/postgresql-12-main.log for failed connections. When too many failed connections, connection is banned for 5min.
From local machine I use QGIS 3.16.3-Hannover
When fail2ban is unactive I can connect to database with my username+password, I can do everything I want.
If i activate fail2ban, it disconnects me from database.
I went to see postgresq logs, and it shows me that QGIS has let me in, but also simultaneusly tried to connect with another username without password. It uses qgis global variable "user_account_name", same as my computers username (erkki).
Postgresql log looks like:
176.x.x.x (56547) 2021-03-24 12:56:19 EET [1892948] erkki@mapsystem FATAL: password authentication failed for user "erkki"
176.x.x.x (56547) 2021-03-24 12:56:19 EET [1892948] erkki@mapsystem DETAIL: Role "erkki" does not exist.
Connection matched pg_hba.conf line 96: "hostssl all all 0.0.0.0/0 scram-sha-256"
The text was updated successfully, but these errors were encountered: