Hi all, Thank you for the updated patches.
On Tue, Jan 27, 2026 at 12:21 PM Gilles Darold <[email protected]> wrote: > > Le 09/01/2026 à 10:04, Japin Li a écrit : > > Hi, Steven > > > > Thanks for the review. > > > > On Fri, 09 Jan 2026 at 07:36, Steven Niu <[email protected]> wrote: > >> Hi, Jiapin, > >> > >> I reviewed the v9-0002-Add-TAP-test-for-password_expire_warning.patch > >> and here are my comments: > >> > >> 1. I think we should add tow more cases. One case is for the feature is > >> disbaled. And another is for no warning when >1d remaining. > > Add in v10. > > > >> 2. The modification to pg_hba.conf is unnecessary as the default > >> pg_hba.conf generated by initdb already allows local connections with > >> appropriate methods. > >> unlink($node->data_dir . '/pg_hba.conf'); > >> $node->append_conf('pg_hba.conf', "local all all scram-sha-256"); > > Yes, it allows local connections, but they are always in trust mode, so no > > password is required (or used). > > > >> 3. Make the expected string to be more exact. > >> qr/your password will expire in/); > >> --> > >> qr/your password will expire in 1d/); > >> > > Fixed. PFA. > > > > v10-0001 - No changes. > > v10-0002 - Address review comments. > > > > Here is a v11 version of the patch. > > v11-0001 - fix a miss on the typo fixes ( s/expire/expires/ in GUC > description ) and add your name in the authors list. > > v11-0002 - Add a test with Infinity in VALID UNTIL value. I went through the discussions and I applied the posted patches on the current master branch and have completed testing. Firstly, the conceptual approach of adding a server-side password_expire_warning GUC in patch 0001 looks reasonable for me too as it allows all clients to benefit from the warning. Here, the password expiry enforcement is strictly tied to password-based authentication. With md5 authentication explicitly configured, expiry enforcement works as expected, login succeeds while the password is valid and fails with “password has expired” once the expiry timestamp is reached. This is confirmed via server logs showing the md5 authentication path being exercised. When non-password authentication methods (trust/peer) are used, password expiry is bypassed. While expiry enforcement functions correctly after expiry, no advance warning is emitted prior to expiry in the baseline behavior, which matches the motivation for this change. The approach in patch 0001 of adding a server-side password_expire_warning GUC and adding the corresponding TAP coverage in patch 0002 seems directionally correct. Regards, Soumya
