[PR #16532] [CLOSED] fix: implement Aurora PostgreSQL password authentication for OWUI #63019

New Issue

Closed

opened 2026-05-06 07:32:26 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-05-06 07:32:26 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/16532
Author: @RCastillo-Clave
Created: 8/12/2025
Status: ❌ Closed

Base: main ← Head: feature/add-aws-rds-certificates

---

📝 Commits (10+)

• 9c8e401 feat(owui): Update package dependencies and add READMEs. Fixes issue #1.
• 95f05ab fix(ci): Increase Node.js memory for frontend build
• cad1298 Silent test commit
• 79caf9d build: Ignore docker build artifact
• 3a371e7 Feature: modify Dockerfile to generate an authn token to the DB
• 714a762 Merge branch 'open-webui:main' into feature/owui-db-support
• 6825620 Merge pull request #1 from clavesec/feature/owui-db-support
• 8c9e50b Enable VSCode debugging for Open WebUI in Docker
• b1e0609 fix: dockerfile and entrypoint for debugging in VSCode
• 3b5bab4 fix: merge feat/vscode-docker-debug for local Docker debugging rig

📊 Changes

30 files changed (+2807 additions, -90 deletions)

View changed files

📝 .gitignore (+6 -0)
➕ .vscode/launch.json (+24 -0)
➕ AWS_INTEGRATION_MEMO_FOR_TOM.md (+432 -0)
➕ DATABASE_VERIFICATION_QUERIES.sql (+263 -0)
➕ DEBUG_OUTPUT_ANALYSIS_GUIDE.md (+273 -0)
➕ DOCKER_BUILD_TEST_INSTRUCTIONS.md (+216 -0)
📝 Dockerfile (+44 -4)
📝 README.md (+3 -0)
➕ backend/docker-entrypoint.sh (+119 -0)
➕ backend/open_webui/README_IAM_DB.md (+15 -0)
📝 backend/open_webui/env.py (+14 -0)
📝 backend/open_webui/internal/db.py (+77 -6)
📝 backend/open_webui/internal/wrappers.py (+47 -4)
📝 backend/open_webui/main.py (+4 -1)
📝 backend/open_webui/migrations/env.py (+30 -1)
➕ backend/open_webui/migrations/versions/c4a3b2d1e0f_add_encryption_fields_to_user.py (+35 -0)
📝 backend/open_webui/models/auths.py (+122 -32)
➕ backend/open_webui/models/db_encryption_shim.py (+221 -0)
📝 backend/open_webui/models/users.py (+95 -36)
📝 backend/open_webui/retrieval/vector/dbs/pgvector.py (+31 -3)

...and 10 more files

📄 Description

Summary

Implement PostgreSQL password authentication for OWUI connecting to Aurora in air-gapped environments, replacing IAM authentication that was incompatible with SSL-disabled connections.

Key Changes

• Authentication: Switch from IAM tokens to password-based authentication
• SSL Configuration: Disable SSL to work with Aurora password auth
• Docker Improvements: Fix user handling and static file permissions
• Certificate Handling: Add AWS RDS CA bundle for future SSL support
• Database Connection: Comprehensive connection debugging and error handling

Technical Details

Authentication Changes

• Disable ENABLE_AWS_RDS_IAM in favor of password extraction from secrets
• Add password URL-encoding to handle special characters
• Maintain backward compatibility with local SQLite development

Docker & Deployment

• Fix Docker user consistency (USER $UID:$GID instead of hardcoded USER 1000)
• Resolve static file permission issues
• Add comprehensive SSL environment debugging
• Include AWS CLI v2 for future IAM auth support

Database Connection

• Add connection timeout configuration (PGCONNECT_TIMEOUT)
• Implement detailed Peewee migration debugging
• Support both PostgreSQL and SQLite environments
• Proper certificate path handling for Aurora TLS

Air-Gapped Environment Support

• Disable tiktoken downloads at runtime
• Add certificate bundle for offline SSL validation
• Comprehensive debugging for connection troubleshooting

Files Changed

• Dockerfile - User handling, certificate installation, AWS CLI
• backend/docker-entrypoint.sh - Password authentication logic
• backend/open_webui/env.py - SSL configuration variables
• backend/open_webui/internal/db.py - Migration debugging, connection handling
• backend/open_webui/internal/wrappers.py - SSL parameter support
• backend/open_webui/main.py - Import debugging

Testing

• ✅ Database password authentication working
• ✅ OWUI container starts successfully
• ✅ PostgreSQL connection established
• ⏳ Migration debugging in progress

Security Notes

• Passwords properly URL-encoded and logged securely
• Certificate paths configured for TLS support
• Debug logging includes sensitive data masking

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/16532 **Author:** [@RCastillo-Clave](https://github.com/RCastillo-Clave) **Created:** 8/12/2025 **Status:** ❌ Closed **Base:** `main` ← **Head:** `feature/add-aws-rds-certificates` --- ### 📝 Commits (10+) - [`9c8e401`](https://github.com/open-webui/open-webui/commit/9c8e401583713c5206f81cb64eb24ab740006b4a) feat(owui): Update package dependencies and add READMEs. Fixes issue #1. - [`95f05ab`](https://github.com/open-webui/open-webui/commit/95f05ab98cccf15094de9a5278c12e993fc97d1b) fix(ci): Increase Node.js memory for frontend build - [`cad1298`](https://github.com/open-webui/open-webui/commit/cad1298a13429a0e500f6c7d83a3828d27fbf968) Silent test commit - [`79caf9d`](https://github.com/open-webui/open-webui/commit/79caf9d6e4140c04fc88fda5290992eb74e275c8) build: Ignore docker build artifact - [`3a371e7`](https://github.com/open-webui/open-webui/commit/3a371e7382d52e8629a85dbc47cc3daaa68dd9d9) Feature: modify Dockerfile to generate an authn token to the DB - [`714a762`](https://github.com/open-webui/open-webui/commit/714a7627623ca2ddb47dfdf0328c336315e745df) Merge branch 'open-webui:main' into feature/owui-db-support - [`6825620`](https://github.com/open-webui/open-webui/commit/68256204a95c62b527cb6604cd34b6409a62a034) Merge pull request #1 from clavesec/feature/owui-db-support - [`8c9e50b`](https://github.com/open-webui/open-webui/commit/8c9e50b0858f2ca6af0051094e49db45fa26d612) Enable VSCode debugging for Open WebUI in Docker - [`b1e0609`](https://github.com/open-webui/open-webui/commit/b1e0609abcf5dcf50078fe377911fbf9e9ee94af) fix: dockerfile and entrypoint for debugging in VSCode - [`3b5bab4`](https://github.com/open-webui/open-webui/commit/3b5bab4921af30cbc338669f3eeccbecf92cc640) fix: merge feat/vscode-docker-debug for local Docker debugging rig ### 📊 Changes **30 files changed** (+2807 additions, -90 deletions) <details> <summary>View changed files</summary> 📝 `.gitignore` (+6 -0) ➕ `.vscode/launch.json` (+24 -0) ➕ `AWS_INTEGRATION_MEMO_FOR_TOM.md` (+432 -0) ➕ `DATABASE_VERIFICATION_QUERIES.sql` (+263 -0) ➕ `DEBUG_OUTPUT_ANALYSIS_GUIDE.md` (+273 -0) ➕ `DOCKER_BUILD_TEST_INSTRUCTIONS.md` (+216 -0) 📝 `Dockerfile` (+44 -4) 📝 `README.md` (+3 -0) ➕ `backend/docker-entrypoint.sh` (+119 -0) ➕ `backend/open_webui/README_IAM_DB.md` (+15 -0) 📝 `backend/open_webui/env.py` (+14 -0) 📝 `backend/open_webui/internal/db.py` (+77 -6) 📝 `backend/open_webui/internal/wrappers.py` (+47 -4) 📝 `backend/open_webui/main.py` (+4 -1) 📝 `backend/open_webui/migrations/env.py` (+30 -1) ➕ `backend/open_webui/migrations/versions/c4a3b2d1e0f_add_encryption_fields_to_user.py` (+35 -0) 📝 `backend/open_webui/models/auths.py` (+122 -32) ➕ `backend/open_webui/models/db_encryption_shim.py` (+221 -0) 📝 `backend/open_webui/models/users.py` (+95 -36) 📝 `backend/open_webui/retrieval/vector/dbs/pgvector.py` (+31 -3) _...and 10 more files_ </details> ### 📄 Description ## Summary Implement PostgreSQL password authentication for OWUI connecting to Aurora in air-gapped environments, replacing IAM authentication that was incompatible with SSL-disabled connections. ## Key Changes - **Authentication**: Switch from IAM tokens to password-based authentication - **SSL Configuration**: Disable SSL to work with Aurora password auth - **Docker Improvements**: Fix user handling and static file permissions - **Certificate Handling**: Add AWS RDS CA bundle for future SSL support - **Database Connection**: Comprehensive connection debugging and error handling ## Technical Details ### Authentication Changes - Disable `ENABLE_AWS_RDS_IAM` in favor of password extraction from secrets - Add password URL-encoding to handle special characters - Maintain backward compatibility with local SQLite development ### Docker & Deployment - Fix Docker user consistency (`USER $UID:$GID` instead of hardcoded `USER 1000`) - Resolve static file permission issues - Add comprehensive SSL environment debugging - Include AWS CLI v2 for future IAM auth support ### Database Connection - Add connection timeout configuration (`PGCONNECT_TIMEOUT`) - Implement detailed Peewee migration debugging - Support both PostgreSQL and SQLite environments - Proper certificate path handling for Aurora TLS ### Air-Gapped Environment Support - Disable tiktoken downloads at runtime - Add certificate bundle for offline SSL validation - Comprehensive debugging for connection troubleshooting ## Files Changed - `Dockerfile` - User handling, certificate installation, AWS CLI - `backend/docker-entrypoint.sh` - Password authentication logic - `backend/open_webui/env.py` - SSL configuration variables - `backend/open_webui/internal/db.py` - Migration debugging, connection handling - `backend/open_webui/internal/wrappers.py` - SSL parameter support - `backend/open_webui/main.py` - Import debugging ## Testing - ✅ Database password authentication working - ✅ OWUI container starts successfully - ✅ PostgreSQL connection established - ⏳ Migration debugging in progress ## Security Notes - Passwords properly URL-encoded and logged securely - Certificate paths configured for TLS support - Debug logging includes sensitive data masking 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-05-06 07:32:26 -05:00

GiteaMirror closed this issue 2026-05-06 07:32:35 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#63019