Thread

  1. Re: Periodic authorization expiration checks using GoAway message

    Bruce Momjian <bruce@momjian.us> — 2025-12-23T21:59:21Z

    On Wed, Dec 10, 2025 at 10:20:46PM +0100, Jelte Fennema-Nio wrote:
    > On Wed, 10 Dec 2025 at 21:02, Jacob Champion
    > <jacob.champion@enterprisedb.com> wrote:
    > >
    > > (To call it out explicitly: I work with Ajit, and I asked him to take
    > > a look at GoAway, and I'm particularly interested in the
    > > "reauthenticate or else" case. Let me know if any of that is
    > > problematic -- or if anyone's worried that it will become so -- so I
    > > can course-correct sooner rather than later.)
    > 
    > I think password rollover without downtime requires more thought than
    > discussed in this thread so far. Currently the simplest way (that I
    > know of) to rollover passwords without downtime is to have two users
    > that you can switch between, and one has been configured with:
    > ALTER USER b SET ROLE = a;
    > 
    > So both effectively log in as a.
    
    I have often thought we should allow two passwords for each user for
    such password rotation purposes.
    
    -- 
      Bruce Momjian  <bruce@momjian.us>        https://momjian.us
      EDB                                      https://enterprisedb.com
    
      Do not let urgent matters crowd out time for investment in the future.