From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | Greg Stark <stark(at)mit(dot)edu>, Robert Haas <robertmhaas(at)gmail(dot)com>, Josh Berkus <josh(at)agliodbs(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: WIP: SCRAM authentication |
Date: | 2015-09-04 20:51:33 |
Message-ID: | 20150904205133.GB3685@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Bruce,
* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> On Tue, Aug 18, 2015 at 09:30:39PM +0100, Greg Stark wrote:
> > > OK, that's an interesting argument. If SCRAM supports multiple
> > > password verifiers, and we support SCRAM, then I guess we should
> > > probably do that, too. I still don't like it all that much, though.
> > > I think it's absolutely inevitable that people are going to end up
> > > with an account with 3 or more different passwords that can all be
> > > used to log into it, and that won't be good. How do other systems
> > > avoid this pitfall?
> >
> > Fwiw having multiple passwords would make automated credential
> > rotations *so* much easier. Heroku has a really baroque solution to
> > this problem in Postgres involving creating new child roles and
> > swapping them around. My team in Google wasted many man hours dealing
> > with fallout from the quarterly password rotations.
>
> Coming in late, but can you explain how multiple passwords allow for
> easier automated credential rotation? If you have five applications
> with stored passwords, I imagine you can't change them all at once, so
> with multiples you could change it on one, then go to the others and
> change it there, and finally, remove the old password. Is that the
> process? I am not realizing that without multiple plasswords, this is a
> hard problem.
That's exactly the process if multiple passwords can be used. If
there's only one account and one password supported then you have to
change all the systems all at once and that certainly can be a hard
problem.
One way to deal with this is to have a bunch of different accounts, but
that's certainly not simple either and can get quite painful.
Thanks!
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Tomas Vondra | 2015-09-04 21:03:31 | Re: PATCH: index-only scans with partial indexes |
Previous Message | Tom Lane | 2015-09-04 20:47:58 | Re: What is the length of tuple with a TOAST pointer? |