Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rTXpu-0042c7-OY for pgsql-hackers@arkaria.postgresql.org; Sat, 27 Jan 2024 01:50:23 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rTXov-003Xwy-IV for pgsql-hackers@arkaria.postgresql.org; Sat, 27 Jan 2024 01:49:21 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rTXov-003Xwq-94 for pgsql-hackers@lists.postgresql.org; Sat, 27 Jan 2024 01:49:21 +0000 Received: from mail-yb1-xb2e.google.com ([2607:f8b0:4864:20::b2e]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1rTXon-003ulp-Ub for pgsql-hackers@lists.postgresql.org; Sat, 27 Jan 2024 01:49:20 +0000 Received: by mail-yb1-xb2e.google.com with SMTP id 3f1490d57ef6-dc64926af85so848134276.0 for ; Fri, 26 Jan 2024 17:49:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706320152; x=1706924952; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=X9V2QinQ8U+7YxIqYJxEmclnI8ZLxEoOI0ejrviXxCA=; b=C7el4w+X7BltmUCZRKOSyUppA8rv2YRfFniZmtlvc2HiFX99d+W5rMMsE5nt1CmjUH n0OVFnM+BTB+0Da6S2354MNzyZnvhRNIAYUkdvRnXtDr/gqhkfV+LM97OGcK6Xjtjfs1 PkqVSkfmOE+zbA5yxC+PLxFjYRIq4JsPAS0kcuWjjgox57DD1L9pas9lbqo1BMbYy0Rb D6a414/oOIBfBuBlRQFhyfzcE1AB06twuvYm2qyD0qU8HU57Bh+yHJ1fM9Lq0ZdHFNGD fpLnWFW3dXw1xJb1qVT8bPRsdRGrSSDw+j/gohF4Y69AzP1A5nNWGrDJzftYJaPpM682 6M3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706320152; x=1706924952; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=X9V2QinQ8U+7YxIqYJxEmclnI8ZLxEoOI0ejrviXxCA=; b=frgi2sTS+ji/oVaFiuapDWvuDKhWsCOz6c1FyTTBFLA9Upxt7v2WRS2O0pjRcEdom5 RR6yrKY94MpYbPfDlwiO2J1uhcb4ZcJsS1GqfZZRFPbmetV4A5zhxGivyOCs1TAxxIHf QkbmswjvCwTTjug7A0F/nRMzU6l852tB/aO+ziKn6MPREnaKqs0oVNUyAZ0ZGWLVCmta hJvIlDc2fpvWkK8pWNLvTSqZ0h3wDQsE9qCA74xgLeLAPyZ3J0o8I9OtKFZIcrBWyAcV QLf6T7ZdVkPN50OuW3xQDQzkN6FFpxoatmKR08M32ErsqFvbBXyp1svfPuFUi8Is7Ffk OC3Q== X-Gm-Message-State: AOJu0YzQMyk5GeQrqUajz51ZpE6pjkKryYXkYwGUx1Ac1/85jyLAqDgp IermFs4fVg4hcVnkNXZCWOV9YiDrjTx5Oj5bWBZbALO6Qae01FxRHI+A7Z5cIYhtM3DcPfvZ7bs wt4TfpgNOfBnmgba+SUB/BUDs/lw= X-Google-Smtp-Source: AGHT+IE8Q0qOBNtAsFBrdhEKOZerqDGU6HTztsoVCYxw6JS0sLfL3Wg3btbNHwu0QiGZdg+MTRC/xGzpxBgnZpkRzNE= X-Received: by 2002:a81:af20:0:b0:5ff:67be:1da with SMTP id n32-20020a81af20000000b005ff67be01damr711547ywh.92.1706320151707; Fri, 26 Jan 2024 17:49:11 -0800 (PST) MIME-Version: 1.0 References: <20220701002034.GA9030@tamriel.snowman.net> <80684017-18c6-4116-9249-bb049ffe1ecf@amazon.com> <41a690ee7b030e6f41709bd39375641ef934e05f.camel@j-davis.com> <20231005190453.GB151257@nathanxps13> <2644f1886c7f5e2691f837de138ac5c3a09a68f6.camel@j-davis.com> <3ba7717e5493f3c3b45127457f540b7811f6f6e1.camel@j-davis.com> In-Reply-To: From: vignesh C Date: Sat, 27 Jan 2024 07:18:59 +0530 Message-ID: Subject: Re: [PoC/RFC] Multiple passwords, interval expirations To: Gurjeet Singh Cc: Jeff Davis , Nathan Bossart , PostgreSQL Hackers , Stephen Frost , "Brindle, Joshua" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, 10 Oct 2023 at 16:37, Gurjeet Singh wrote: > > > On Mon, Oct 9, 2023 at 2:31=E2=80=AFAM Gurjeet Singh = wrote: > > > > > > Next steps: > > > - Break the patch into a series of smaller patches. > > > - Add TAP tests (test the ability to actually login with these passwo= rds) > > > - Add/update documentation > > > - Add more regression tests > > Please see attached the v4 of the patchset that introduces the notion > of named passwords slots, namely 'first' and 'second' passwords, and > allows users to address each of these passwords separately for the > purposes of adding, dropping, or assigning expiration times. > > Apart from the changes described by each patch's commit title, one > significant change since v3 is that now (included in v4-0002...patch) > it is not allowed for a role to have a mix of a types of passwords. > When adding a password, the patch ensures that the password being > added uses the same hashing algorithm (md5 or scram-sha-256) as the > existing password, if any. Having all passwords of the same type > helps the server pick the corresponding authentication method during > connection attempt. > > The v3 patch also had a few bugs that were exposed by cfbot's > automatic run. All those bugs have now been fixed, and the latest run > on the v4 branch [1] on my private Git repo shows a clean run [1]. > > The list of patches, and their commit titles are as follows: > > > v4-0001-...patch Add new columns to pg_authid > > v4-0002-...patch Update password verification infrastructure to handle = two passwords > > v4-0003-...patch Added SQL support for ALTER ROLE to manage two passwor= ds > > v4-0004-...patch Updated pg_dumpall to support exporting a role's secon= d password > > v4-0005-...patch Update system views pg_roles and pg_shadow > > v4-0006-...patch Updated pg_authid catalog documentation > > v4-0007-...patch Updated psql's describe-roles meta-command > > v4-0008-...patch Added documentation for ALTER ROLE command > > v4-0009-...patch Added TAP tests to prove that a role can use two passw= ords to login > > v4-0010-...patch pgindent run > > v4-0011-...patch Run pgperltidy on files changed by this patchset > > Running pgperltidy updated many perl files unrelated to this patch, so > in the last patch I chose to include only the one perl file that is > affected by this patchset. CFBot shows that the patch does not apply anymore as in [1]: =3D=3D=3D Applying patches on top of PostgreSQL commit ID 4d969b2f85e1fd00e860366f101fd3e3160aab41 =3D=3D=3D =3D=3D=3D applying patch ./v4-0002-Update-password-verification-infrastructure-to-ha.patch ... patching file src/backend/libpq/auth.c Hunk #4 FAILED at 828. Hunk #5 succeeded at 886 (offset -2 lines). Hunk #6 succeeded at 907 (offset -2 lines). 1 out of 6 hunks FAILED -- saving rejects to file src/backend/libpq/auth.c.= rej Please post an updated version for the same. [1] - http://cfbot.cputube.org/patch_46_4432.log Regards, Vignesh