Re: [PoC/RFC] Multiple passwords, interval expirations

From: Nathan Bossart <nathandbossart(at)gmail(dot)com>
To: Jeff Davis <pgsql(at)j-davis(dot)com>
Cc: Gurjeet Singh <gurjeet(at)singh(dot)im>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Stephen Frost <sfrost(at)snowman(dot)net>, "Brindle, Joshua" <joshuqbr(at)amazon(dot)com>, Jacob Champion <jchampion(at)timescale(dot)com>
Subject: Re: [PoC/RFC] Multiple passwords, interval expirations
Date: 2023-10-06 19:26:31
Message-ID: 20231006192631.GA155099@nathanxps13
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Thu, Oct 05, 2023 at 01:09:36PM -0700, Jeff Davis wrote:
> On Thu, 2023-10-05 at 14:04 -0500, Nathan Bossart wrote:
>> That way, we needn't restrict this feature to 2 passwords for
>> everyone.  Perhaps 2 should be the default, but in any case, IMO we
>> shouldn't design to only support 2.
>
> Are there use cases for lots of passwords, or is it just a matter of
> not introducing an artificial limitation?

I guess it's more of the latter. Perhaps one potential use case would be
short-lived credentials that are created on demand. Such a password might
only be valid for something like 15 minutes, and many users might have the
ability to request a password for the database role. I don't know whether
there is a ton of demand for such a use case, and it might already be
solvable by just creating separate roles. In any case, if there's general
agreement that we only want to target the rotation use case, that's fine by
me.

--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Nathan Bossart 2023-10-06 19:35:44 Re: should frontend tools use syncfs() ?
Previous Message Isaac Morland 2023-10-06 19:15:16 Re: Pre-proposal: unicode normalized text