Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uVs9I-005RLb-8g
	for pgsql-general@arkaria.postgresql.org; Sun, 29 Jun 2025 13:32:48 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uVs9E-00Bq3N-Dl
	for pgsql-general@arkaria.postgresql.org; Sun, 29 Jun 2025 13:32:45 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <hjp-pgsql@hjp.at>)
	id 1uVs9E-00Bq3F-3F
	for pgsql-general@lists.postgresql.org; Sun, 29 Jun 2025 13:32:44 +0000
Received: from mail.hjp.at ([212.17.106.138] helo=rorschach.hjp.at)
	by makus.postgresql.org with smtp (Exim 4.96)
	(envelope-from <hjp-pgsql@hjp.at>)
	id 1uVs9B-004bRp-2Z
	for pgsql-general@lists.postgresql.org;
	Sun, 29 Jun 2025 13:32:43 +0000
Received: by rorschach.hjp.at (Postfix, from userid 1000)
	id 4AE9463778; Sun, 29 Jun 2025 15:32:10 +0200 (CEST)
Date: Sun, 29 Jun 2025 15:32:10 +0200
From: "Peter J. Holzer" <hjp-pgsql@hjp.at>
To: pgsql-general@lists.postgresql.org
Subject: Re: password rules
Message-ID: <20250629133210.gz5sgetyea6pmd3j@hjp.at>
Mail-Followup-To: pgsql-general@lists.postgresql.org
References: <65b65e9f-b4b0-4927-b872-d24dff11449b@crashdump.ch>
 <20250625115535.bd3lmsslyd36qsha@hjp.at>
 <7b27e37f-f775-4952-96f6-2604ee8259b9@crashdump.ch>
 <20250625153305.hmbzbpq5nadwvczo@hjp.at>
 <0344a9b2-bb6b-4d09-af54-2acb10b6a51a@crashdump.ch>
 <20250626122741.wkemjudz3lagw6zn@hjp.at>
 <31fd386e-8cff-4573-8cc7-f4e64c59dc85@crashdump.ch>
 <20250628135923.v2hrctnfjpqlcnqs@hjp.at>
 <dc23076e-7b60-46e6-94d0-a3076a6a6687@crashdump.ch>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="7iau47puuhmt3cpv"
Content-Disposition: inline
In-Reply-To: <dc23076e-7b60-46e6-94d0-a3076a6a6687@crashdump.ch>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/20250629133210.gz5sgetyea6pmd3j%40hjp.at>
Precedence: bulk


--7iau47puuhmt3cpv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2025-06-28 18:06:51 +0200, raphi wrote:
> Am 28.06.2025 um 15:59 schrieb Peter J. Holzer:
> > On 2025-06-27 19:00:36 +0200, raphi wrote:
> >=20
> > > It's the application's password that we want to ensure that it is
> > > complex and gets changed after we set an initial password for it.
> > Why let a human change that at all? Couldn't you just create a suitable
> > random password at deployment time? (And then automatically every n
> > months if you want to rotate it.)
> >=20
> Because someone has to configure the password in the application, mostly
> within WLS or Tomcat

Yeah, my aim would be to eliminate that "somebody" and automate it with
an ansible playbook (or whatever).

> and that's definitely not something that we DBA want to touch, that's
> the devs job. Which means we would have to provide some mechanism for
> the application to grab the password, say from a file or something,
> which has it's own pitfalls. Not to mention that we DBA usually don't
> want to know any application passwords.

If it's automated the DBA wouldn't know the password. The playbook would
generate a random password, create the user in the database and create
an XML file for Tomcat[1] with the connection details (including the
password). It seems to me that this would be a relatively simple change
to your existing "database self service" mechanism.

> The only feasable way to implement this is with hashicorp Vault or
> something similar, then no one knows the password, neither DBA nor Dev
> and it would be guaranteed that it's complex.

That's another possibility. Might be a bit more complex, but I've never
used it so I don't really know.

        hjp

[1] There are probably different methods, but wherever I see Java, I
    also see XML ;-)

--=20
   _  | Peter J. Holzer    | Story must make more sense than reality.
|_|_) |                    |
| |   | hjp@hjp.at         |    -- Charles Stross, "Creative writing
__/   | http://www.hjp.at/ |       challenge!"

--7iau47puuhmt3cpv
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEETtJbRjyPwVTYGJ5k8g5IURL+KF0FAmhhQEUACgkQ8g5IURL+
KF2P9g/5AYVCOYvnAk3p5YrtRcwWWaxS53tixx/LjgCXjdFaVpVWtKCxZRQU9+Vh
4yh7n0jRiO/kNAZfms36sOal3kHj3vttlhlh41oDakpmlpKrHN/C6KzbqQO0MOsl
U5tCJqVBG0SYSLM+2QrsUfz7oUEW9kM+1RLbEbJMwgoEc8jaIfQ73LvNS4Kf5l8p
Nb1+i9cG8vkUtW2EJE4bWnWMirOQOn5qwtZt7CEh2RhlD6Q6gcMVL6A6YhhrY+C+
6gKHgMEy2fwvBZM6oxemP4G0rZaesSelQud9rGSlnVfsFNg/xeqcVuyiwQsEhUTW
wxhzC9mk8jyjclNy1HT4dWfF1qtX9OVWdM8VglOI6jeqX6UAs2oJbwgjqLD5T56p
dy6ufy4TgC8CocDx0eVQ9pKR4wSXGkPkMcyYT4XsmCi8TR24MvrjcMPKDr14hti3
Ek5weKeWQ3WGA5JhoFVQ1MFqhGdGlbIa2+Y8F+tsFqcLKfdyNO8yZlNESaEWOfkB
zJ2lkJdOCrgQ3ROmEyFPRPiVjbXJjkiQrsrs3nY+n8lgAxdnjU8qkm1KjE1ncgRH
NVfjqMtghgmv5UYmv1iCiI2G35Nc/5sG4wYD42zM4S8/xH7ltUE1+fc6/3exXi+S
FdUgohn2tZ+9YroA5BUOClhc6h69+PxtVBu6s1b9R6wf8lZFYyY=
=8QS7
-----END PGP SIGNATURE-----

--7iau47puuhmt3cpv--