public inbox for [email protected]
help / color / mirror / Atom feedFrom: Nathan Bossart <[email protected]>
To: Zsolt Parragi <[email protected]>
Cc: Japin Li <[email protected]>
Cc: Gilles Darold <[email protected]>
Cc: Yuefei Shi <[email protected]>
Cc: songjinzhou <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Cc: Andrew Dunstan <[email protected]>
Cc: Tom Lane <[email protected]>
Cc: liu xiaohui <[email protected]>
Cc: Steven Niu <[email protected]>
Subject: Re: Pasword expiration warning
Date: Thu, 29 Jan 2026 11:53:08 -0600
Message-ID: <aXuehKtwtUXWVFYp@nathan> (raw)
In-Reply-To: <CAN4CZFP4AGeO-AynwE3e62XOKqaYnXtcGT1qfj=6nw2t5FOXwA@mail.gmail.com>
References: <[email protected]>
<MEAPR01MB303142AEB3F47886C171194EB682A@MEAPR01MB3031.ausprd01.prod.outlook.com>
<CAD43U4WHJm=UkxbfhxQRxQRxtdtu7AGj77uO2fF78THQWCaYTg@mail.gmail.com>
<MEAPR01MB30319B858B3028CA38BEDC5EB682A@MEAPR01MB3031.ausprd01.prod.outlook.com>
<MN2PR15MB30212CEFE2F8B93C398FBF60A782A@MN2PR15MB3021.namprd15.prod.outlook.com>
<MEAPR01MB30319C7BB75B88028E1DB7E1B682A@MEAPR01MB3031.ausprd01.prod.outlook.com>
<[email protected]>
<CAN4CZFMBj-mZq_o8BtQz_TgqDTALbn31kc-SFtWE4FR1N-4RBw@mail.gmail.com>
<MEAPR01MB3031CF12043573A245D931AAB69EA@MEAPR01MB3031.ausprd01.prod.outlook.com>
<CAN4CZFP4AGeO-AynwE3e62XOKqaYnXtcGT1qfj=6nw2t5FOXwA@mail.gmail.com>
Sorry, I haven't been following the discussion, but I took a brief look at
the latest patch in the thread.
+ Controls how much time (in seconds) before a role's password expiration
+ a <literal>WARNING</literal> message is sent to the client upon successful
+ connection. It requires that a <command>VALID UNTIL</command> date is set
+ for the role. A value of <literal>0d</literal> disable this behavior. The
+ default value is <literal>7d</literal> and the maximum value <literal>30d</literal>.
I'm not sure we should subject folks to these warnings by default, and I
don't see a reason to restrict the maximum value to 30 days. IMHO we
should have this disabled by default and the maximum value should be
INT_MAX.
+ if (password_expire_warning > 0 && vuntil < PG_INT64_MAX)
+ {
+ TimestampTz result = (vuntil - now) / USECS_PER_SEC; /* in seconds */
+
+ if (result <= (TimestampTz) password_expire_warning)
+ {
+ MyClientConnectionInfo.warning_message =
+ psprintf(_("your password will expire in %d day(s)"),
+ (int) (result / SECS_PER_DAY));
+ }
+ }
nitpick: I suspect we could simplify this code a bit, but I haven't tried.
Also, IMO we should be more precise about the expiration time. There is a
reasonable difference between a password expiring in 1 second as opposed to
23 hours, 59 minutes, 59 seconds, but in both cases this message would say
"0 days". You might be able to borrow from psql/common.c's PrintTiming()
function to add more detail here.
+ /*
+ * Emit a warning message to the client when set, for example
+ * to warn the user that the password will expire.
+ */
+ if (MyClientConnectionInfo.warning_message)
+ ereport(WARNING, (errmsg("%s", MyClientConnectionInfo.warning_message)));
Having a variable for warning messages could come in handy later. For
example, we might add a warning about using MD5 passwords at some point.
In my draft patch for this [0], I put the warning after closing the
transaction, whereas this patch puts it just before. I'm not sure I had a
principled reason for doing so, but it's an interesting difference between
the two patches.
[0] https://postgr.es/m/attachment/177167/v2-0002-WIP-add-warning-upon-authentication-with-MD5-pass.patc...
--
nathan
view thread (27+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Pasword expiration warning
In-Reply-To: <aXuehKtwtUXWVFYp@nathan>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox