Re: Valid until

On 5/18/24 03:09, Rama Krishnan wrote:
Reply to list also.
Ccing list
>
> Hi Adrian,
>
> I have modified the pg_hba entry from trust to md5 like below
>
> ```
> local   all             all                                     md5

That would be the issue. trust ignores the password check.

>
> ```
>
>
> When i have tired with postgres user I am able to connect

Which is expected as postgres does not have a 'valid until' restriction.

>
>
> [postgres(at)postgres16 data]$ psql -U postgres -d postgres
> Password for user postgres:
> psql (16.2)
> Type "help" for help.
>
>
>
> postgres=# \du
>                               List of roles
>  Role name  |                         Attributes
> ------------+------------------------------------------------------------
>  pgbackrest | Replication
>  postgres   | Superuser, Create role, Create DB, Replication, Bypass RLS
>  test       | Password valid until 2023-05-13 00:00:00+00
>  user_name  | Password valid until 2024-05-13 00:00:00+00
>
>
>
> But when i tried with test or user_name user  even though I am passing
> the correct value I am getting this error

Again as expected as the 'valid until' timestamp is in the past.

>
>
> ```
> [postgres(at)postgres16 data]$ psql -U test -d postgres
> Password for user test:
> psql: error: connection to server on socket
> "/run/postgresql/.s.PGSQL.5432" failed: FATAL:  password authentication
> failed for user "test"
>
> postgres=# \c  postgres user_name
> Password for user user_name:
> connection to server on socket "/run/postgresql/.s.PGSQL.5432" failed:
> FATAL:  password authentication failed for user "user_name"
>
> ```
>
> Once i done the changes the valid until expiration date
>
> ```
>
> postgres=# alter user test VALID UNTIL '2024-05-19';
> ALTER ROLE
>
> postgres=> \du
>                               List of roles
>  Role name  |                         Attributes
> ------------+------------------------------------------------------------
>  pgbackrest | Replication
>  postgres   | Superuser, Create role, Create DB, Replication, Bypass RLS
>  test       | Password valid until 2024-05-19 00:00:00+00
>  user_name  | Password valid until 2024-05-13 00:00:00+00
> ```
>
> Finally it allows to connect test

Which is correct as the 'valid until' timestamp is in the future.

>
> ```
>
> [postgres(at)postgres16 data]$ psql -d postgres -U test
> Password for user test:
> psql (16.2)
>
> ```
>
> I believe this is a expected output of validunitl , Please correct me if
> i m wrong

The behavior is as referenced in the documentation:

https://www.postgresql.org/docs/current/sql-createrole.html

VALID UNTIL 'timestamp'

The VALID UNTIL clause sets a date and time after which the role's
password is no longer valid. If this clause is omitted the password will
be valid for all time.

>
>
> Regards
>
> A.Rama Krishnan
>

--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com