| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Rui DeSousa <rui(dot)desousa(at)icloud(dot)com> |
| Cc: | Kashif Zeeshan <kashi(dot)zeeshan(at)gmail(dot)com>, James Pang <jamespang886(at)gmail(dot)com>, pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Re: password_rollover_time like Oracle |
| Date: | 2024-06-21 02:46:30 |
| Message-ID: | ZnTphvVUrhiWipFp@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On Thu, Jun 20, 2024 at 08:53:02PM -0400, Rui DeSousa wrote:
> It can be achieved by using roles and rolling accounts. Then the application
> would need to update username/password before it expires to the new account/
> password. The only difference is rather than changing just the password the
> account information also changes; however, no permissions are ever given
> directly to the user account. I’ve been in an environments that have use this
> approach — Just remember to create the new user and update the username/
> password before they expire.
>
> i.e.
>
> approle (A role with no login and all the application permissions)
>
> create user appuser202406 with inherit in role approle valid until '07/01/2024'
> encrypted password 'xxxx’;
> create user appuser202407 with inherit in role approle valid until '08/01/2024'
> encrypted password ‘yyyy';
I can see that causing problems if you want to store CURRENT_USER in the
database, perhaps for auditing. I guess you could call it user4_login12
and keep incrementing the login number, but that seems cumbersome.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Rui DeSousa | 2024-06-21 03:13:16 | Re: password_rollover_time like Oracle |
| Previous Message | Naveed Iftikhar | 2024-06-21 01:35:01 | Monitoring Script for Postgres |