Re: [PoC/RFC] Multiple passwords, interval expirations

Bruce Momjian <bruce@momjian.us>

From: Bruce Momjian <bruce@momjian.us>
To: Jeff Davis <pgsql@j-davis.com>
Cc: Nathan Bossart <nathandbossart@gmail.com>, Gurjeet Singh <gurjeet@singh.im>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, Stephen Frost <sfrost@snowman.net>, "Brindle, Joshua" <joshuqbr@amazon.com>, Jacob Champion <jchampion@timescale.com>
Date: 2023-10-06T20:46:01Z
Lists: pgsql-hackers
On Fri, Oct  6, 2023 at 01:20:03PM -0700, Jeff Davis wrote:
> The basic problem, as I see it, is: how do we keep users from
> accidentally dropping the wrong password? Generated unique names or

I thought we could auto-remove old password if the valid-until date is
in the past.  You would need a separate ALTER command to sets its date
in the past without that.  Also, defining a new password could require
setting the expiration date of the old password to make future additions
easier.

For pg_authid, I was thinking of columns:

	ADD	rolpassword_old
	ADD	rolvaliduntil_old
	EXISTS	rolpassword
	EXISTS	rolvaliduntil

I did blog about the password rotation problem and suggested
certificates:

	https://momjian.us/main/blogs/pgblog/2020.html#July_17_2020

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  Only you can decide what is important to you.



Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. MergeAttributes: convert pg_attribute back to ColumnDef before comparing