We're Hiring!

Mattermost, Inc.

Postgres connection settings

When connecting to a PostgreSQL database, what is allowed for the password? Currently only unencrypted passwords with limited special characters are accepted. This is on the Mattermost side of the connection.

vers mm 5.23 postgres 9.5

Could any of these docs help?

Amy,

Thanks but they all show the password used in the config.json Data connection string as not encrypted.

So not a solution.

James

Hello, @jhemrick

Based on my understanding, your concern here is that the password stored in config.json is plaintext and unencrypted. For example:

ahmaddanial@mattermost:/opt/mattermost/logs$ cat /opt/mattermost/config/config.json | grep -w "DataSource"
        "DataSource": "mattermost:P@55W0rD123!@tcp(danial.mattermost.com)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",

In this example, the password used for user mattermost to access the database is P@55W0rD123! and directly visible from config.json. What you are trying to achieve is to make that password encrypted. For example using MD5:

2a09952296350ae33d638cd654d13981

or other encryption types. Is that right?

Hi,

Yes, to have an encrypted password that may have special characters. Your password: P@55W0rD123! Could not be used as the @ symbol would throw it off configuration line.

``

``

Hi, @jhemrick

Got it. The one I provided above is just an example of what I guessed your requirement was.

I’ll reach out to the team internally to see if we have any plans on implementing this in the future. :+1:

Hello again, @jhemrick

Got the confirmation that you can use .pgpass file or an environment variable for security since you are on PostgreSQL. Perhaps those options would be something that you would like to consider?

Let me know your thoughts on this.

Ahmad,

Don’t see how the mattermost would link to th .pgpass file. My setup is mattermost on server 1, postgres is on server 2. Postgres is used by more than mattermost.

For security we cannot use passwords in the clear.

Jim

Hi @jhemrick,

There are off-the-shelf secret management solutions like Vault and many others which can be used to securely store passwords and other things. Typically, you would have an application provisioning layer which would get the passwords and all the things required to start an application, and then feed them to the application while starting it.

Coming to the .pgpass solution, the postgres library used by Mattermost would pick it up. It is a standard solution recommended by Postgres. All you need to have is the correct connection string in the .pgpass file with the right permissions. And then you can skip setting the password in your mattermost config.json. Mattermost will automatically use the .pgpass file and connect to your DB.

In case you need even stringent password management solutions, I would request you to look at Vault, or AWS KMS or any of the various solutions available in the market.

Thanks.

1 Like

HI ,

What would the connection string look like when referencing the pgpass file?

Thanks

I apologize for the delay. I don’t check this site often.

The connection string just won’t have the password set. Everything else will remain the same. The pgpass file need not be referenced anywhere. It is automatically picked up by the library.

1 Like