Re: initdb recommendations
Jonathan S. Katz <jkatz@postgresql.org>
From: "Jonathan S. Katz" <jkatz@postgresql.org>
To: Stephen Frost <sfrost@snowman.net>
Cc: Magnus Hagander <magnus@hagander.net>, Joe Conway <mail@joeconway.com>,
Tom Lane <tgl@sss.pgh.pa.us>,
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>, Noah Misch <noah@leadboat.com>
Date: 2019-05-24T13:13:42Z
Lists: pgsql-hackers, pgsql-docs
On 5/24/19 9:01 AM, Stephen Frost wrote: > Greetings, > > * Jonathan S. Katz (jkatz@postgresql.org) wrote: >> On 5/24/19 8:33 AM, Stephen Frost wrote: >>> We need to provide better documentation about how to get from md5 to >>> SCRAM, in my view. I'm not sure where that should live, exactly. >>> I really wish we had put more effort into making the migration easy to >>> do over a period of time, and we might actually have to do that before >>> the packagers would be willing to make that change. >> >> +100...I think we should do this regardless, and I was already thinking >> of writing something up around it. I would even suggest that we have >> said password upgrade documentation backpatched to 10. > > Not sure that backpatching is necessary, but I'm not actively against > it. Well, for someone who wants to cut over and has to manually guide the process, a guide will help in absence of new development. > > What I was really getting at though was the ability to have multiple > authenticator tokens active concurrently (eg: md5 AND SCRAM), with an > ability to use either one (idk, md5_or_scram auth method?), and then > automatically set both on password change until everything is using > SCRAM and then remove all MD5 stuff. > > Or something along those lines. In other words, I'm talking about new > development work to ease the migration (while also providing some oft > asked about features, like the ability to do rolling passwords...). Cool, I have been thinking about a similar feature as well to help ease the transition (and fwiw was going to suggest it in my previous email). I think an interim step at least is to document how we can at least help ease the transition. Thanks, Jonathan
Commits
-
initdb: Change authentication defaults
- 09f08930f0f6 13.0 landed