Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s8LMZ-00BvlG-2B for pgsql-general@arkaria.postgresql.org; Sat, 18 May 2024 14:48:44 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1s8LMZ-006pfy-3F for pgsql-general@arkaria.postgresql.org; Sat, 18 May 2024 14:48:43 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s8LM0-006kcn-AO for pgsql-general@lists.postgresql.org; Sat, 18 May 2024 14:48:08 +0000 Received: from fhigh4-smtp.messagingengine.com ([103.168.172.155]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s8LLw-000tF5-5J for pgsql-general@postgresql.org; Sat, 18 May 2024 14:48:07 +0000 Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailfhigh.nyi.internal (Postfix) with ESMTP id AE11E11400AB; Sat, 18 May 2024 10:48:03 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Sat, 18 May 2024 10:48:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1716043683; x=1716130083; bh=pXIdn6F/8d6DG5aY5DzTVSNt32JXNtYU3Y+rCgUJpmw=; b= NtH2cgE1SQYpIe6PiDxxSpqo7K7BjPMoBXnlGvFk6hVhjY6tV2L6FkK3GZeArrgn zWFViYiPxFFzd/3dULA/QF4f2tr5ZsE0hyvSa+WDdbN/D5WFk9pIasDfWSDEnbEQ 8hsOiAspxDQJyS0ve9L4J62Jh9wQG13wC12qse3EFINKTYHJP1/dRLrBSEaKZrSQ TakL6I1n94xmhQl7gKFJbxr5+Iyya92028eE0Ehb3qZQANw9wQGtQZy2XtSpldBD WkZskpqEcjwGeOGGTgbA5ypRVGoUX23GBA80FNinX65KTPeYxy+vMTw+zApusz3z pNa+MlQsQAgAv4bi5FXRAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1716043683; x= 1716130083; bh=pXIdn6F/8d6DG5aY5DzTVSNt32JXNtYU3Y+rCgUJpmw=; b=T AZ7Peiyf8Pcawn90ki1T5OVp9GGNl8JZoLM922BmH0qLmSQYjLsOz86h7fOxCu0O qa0P/koUpYzku/IaWvK2hovfZd+9g/jHkjLDWnBtF71lDJ6S5/lzjOTvy9bEqYG8 vwsit39/FtE419uCrkeh9Ctt487tredBzBiWUXpAeKHWNwpnLD1PUjLWfo71EFLR A8BzKpodp/+tiS7pTsVu/zNqq3FmxE96PayCNw7pcmWyg2wRDnTHhnk1xP3vGWpC s10UWdmmWURA6H8id/ID781G7/UGILLJag6ua471NCLSvz4DhFi7V/ou7HMuuSAY xYGQtyalg2HrJ+XXWjTsg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrvdehiedgieehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfgfuvfhfvefhjggtgfesth ekredttddvjeenucfhrhhomheptegurhhirghnucfmlhgrvhgvrhcuoegrughrihgrnhdr khhlrghvvghrsegrkhhlrghvvghrrdgtohhmqeenucggtffrrghtthgvrhhnpeeukeehhf fhhfefhedvvdeugeeujedvjeekfeefgeelfeeivdetjedtfeevkedtheenucffohhmrghi nhepphhoshhtghhrvghsqhhlrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrg hrrghmpehmrghilhhfrhhomheprggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdr tghomh X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 18 May 2024 10:48:03 -0400 (EDT) Message-ID: <30b136fe-2b04-4251-96ea-0faf60acd5bf@aklaver.com> Date: Sat, 18 May 2024 07:48:02 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Valid until To: Rama Krishnan References: <7dff9a17-744d-437b-847c-18c161c8a901@aklaver.com> Content-Language: en-US Cc: pgsql-general From: Adrian Klaver In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 5/18/24 03:09, Rama Krishnan wrote: Reply to list also. Ccing list > > Hi Adrian, > > I have modified the pg_hba entry from trust to md5 like below > > ``` > local   all             all                                     md5 That would be the issue. trust ignores the password check. > > ``` > > > When i have tired with postgres user I am able to connect Which is expected as postgres does not have a 'valid until' restriction. > > > [postgres@postgres16 data]$ psql -U postgres -d postgres > Password for user postgres: > psql (16.2) > Type "help" for help. > > > > postgres=# \du >                               List of roles >  Role name  |                         Attributes > ------------+------------------------------------------------------------ >  pgbackrest | Replication >  postgres   | Superuser, Create role, Create DB, Replication, Bypass RLS >  test       | Password valid until 2023-05-13 00:00:00+00 >  user_name  | Password valid until 2024-05-13 00:00:00+00 > > > > But when i tried with test or user_name user  even though I am passing > the correct value I am getting this error Again as expected as the 'valid until' timestamp is in the past. > > > ``` > [postgres@postgres16 data]$ psql -U test -d postgres > Password for user test: > psql: error: connection to server on socket > "/run/postgresql/.s.PGSQL.5432" failed: FATAL:  password authentication > failed for user "test" > > postgres=# \c  postgres user_name > Password for user user_name: > connection to server on socket "/run/postgresql/.s.PGSQL.5432" failed: > FATAL:  password authentication failed for user "user_name" > > ``` > > Once i done the changes the valid until expiration date > > ``` > > postgres=# alter user test VALID UNTIL '2024-05-19'; > ALTER ROLE > > postgres=> \du >                               List of roles >  Role name  |                         Attributes > ------------+------------------------------------------------------------ >  pgbackrest | Replication >  postgres   | Superuser, Create role, Create DB, Replication, Bypass RLS >  test       | Password valid until 2024-05-19 00:00:00+00 >  user_name  | Password valid until 2024-05-13 00:00:00+00 > ``` > > Finally it allows to connect test Which is correct as the 'valid until' timestamp is in the future. > > ``` > > [postgres@postgres16 data]$ psql -d postgres -U test > Password for user test: > psql (16.2) > > ``` > > I believe this is a expected output of validunitl , Please correct me if > i m wrong The behavior is as referenced in the documentation: https://www.postgresql.org/docs/current/sql-createrole.html VALID UNTIL 'timestamp' The VALID UNTIL clause sets a date and time after which the role's password is no longer valid. If this clause is omitted the password will be valid for all time. > > > Regards > > A.Rama Krishnan > -- Adrian Klaver adrian.klaver@aklaver.com