Re: [PoC/RFC] Multiple passwords, interval expirations

On Sun, Oct 8, 2023 at 10:50:15AM -0700, Gurjeet Singh wrote:
> On Sun, Oct 8, 2023 at 10:29 AM Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> >
> > I was speaking of autoremoving in cases where we are creating a new one,
> > and taking the previous new one and making it the old one, if that was
> > not clear.
>
> Yes, I think I understood it differently. I understood it to mean that
> this behaviour would apply to all passwords, those created by existing
> commands, as well as to those created by new commands for rollover use
> case. Whereas you meant this autoremove behaviour to apply only to
> those passwords created by/for rollover related commands. I hope I've
> understood your proposal correctly this time around :-)

Yes, it is only during the addition of a new password when the previous
new password becomes the new old password. The previous old password
would need to have an rolvaliduntil in the past.

> I believe the passwords created by rollover feature should
> behave by the same rules as the rules for passwords created by
> existing CREATE/ALTER ROLE commands. If we implement the behaviour to
> delete expired passwords, then I believe that behaviour should apply
> to all passwords, irrespective of which command/feature was used to
> create a password.

This would only apply when we are moving the previous new password to
old and the old one is removed.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

Only you can decide what is important to you.