On 3/16/16 9:00 AM, Michael Paquier wrote: > On Tue, Mar 15, 2016 at 6:38 PM, David Steele <da...@pgmasters.net> wrote: > >> 1) I see that rolvaliduntil is still in pg_authid: >> I think that's OK if we now define it to be "role validity" (it's still >> password validity in the patched docs). I would also like to see a >> validuntil column in pg_auth_verifiers so we can track password >> expiration for each verifier separately. For now I think it's enough to >> copy the same validity both places since there can only be one verifier. > > FWIW, this is an intentional change, and my goal is to focus on only > the protocol aging for now. We will need to move rolvaliduntil to > pg_auth_verifiers if we want to allow rolling updates of password > verifiers for a given role, but that's a different patch, and we need > to think about the SQL interface carefully. This infrastructure makes > the move easier by the way to do that, and honestly I don't really see > what we gain now by copying the same value to two different system > catalogs.
Here's my thinking. If validuntil is moved to pg_auth_verifiers now then people can start using it there. That will make it less traumatic when/if validuntil in pg_authid is removed later. The field in pg_authid could be deprecated in this release to let people know not to use it. Or, as I suggested it could be recast as role validity, which right now happens to be the same as password validity. >> 2) I don't think the column naming in pg_auth_verifiers is consistent >> with other catalogs: >> postgres=# select * from pg_auth_verifiers; >> roleid | verimet | verival >> --------+---------+------------------------------------- >> 16387 | m | md505a671c66aefea124cc08b76ea6d30bb >> 16388 | p | testu >> >> System catalogs generally use a 3 character prefix so I would expect the >> columns to be (if we pick avr as a prefix): > > OK, this makes sense. > >> avrrole >> avrmethod >> avrverifier > > Assuming "ver" is the prefix, we get: verroleid, vermethod, vervalue. > I kind of like those ones, more than with "avr" as prefix actually. > Other ideas are of course welcome. ver is fine as a prefix. >> 3) rolpassword is still in pg_shadow even though it is not useful anymore: >> postgres=# select usename, passwd, valuntil from pg_shadow; >> >> usename | passwd | valuntil >> ---------+----------+------------------------ >> vagrant | ******** | >> test | ******** | >> testu | ******** | 2017-01-01 00:00:00+00 >> >> If anyone is actually using this column in a meaningful way they are in >> for a nasty surprise when trying use the value in passwd as a verifier. >> I would prefer to drop the column entirely and produce a clear error. >> >> Perhaps a better option would be to drop pg_shadow entirely since it >> seems to have no further purpose in life. > > We discussed that on the previous thread and the conclusion was to > keep pg_shadow, but to clobber the password value with "***", > explaining this choice: > http://www.postgresql.org/message-id/6174.1455501...@sss.pgh.pa.us Ah, I missed that one. -- -David da...@pgmasters.net -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
