Wolff, Ken L <ken.l.wolff@xxxxxxxx> writes: > As Stephen states, even some basic functionality in this regard would go a long way. Perhaps something could be built into the postgresql-contrib RPM? Right now the only way I see is to write a hook, which involves changing source code, which then puts us into the situation of (1) maintaining our own code tree and (2) figuring out how to produce a new set of RPMs. > > I realize Postgres is a community project and that there are a great number of other valuable feature/enhancement requests in the queue. Just adding my $.02 here. > The problem here is that everyone has valid points. Tom is quite correct that this sort of security policy really needs to be implemented in a single central location, such as LDAP, AD or some other IAM middleware. Having security policies implemented separately in different systems is where failures creep in and why maintenance becomes a problem. Where Tom's solution fails is with smaller companies that cannot afford this level of infrastructure. They can still fall victim to the same level of regulatory bureaucracy, but without the necessary level of technical resources of larger organisations. For these organisations, basic facilities, like the ability to lock an account after a certain number of failed login attempts for a period of time is a very useful feature. My suggestion would be to develop the basic requirements and contribute the result to Postgres. This would give back to the community and eliminate the need to maintain separate code in the long-term. The cost of paying for extra resources to do this development and maintenance is still going to be less than the licensing costs for that commercial competitor. Just requesting the facility is unlikely to result in any acceptable outcome within any reasonable time frame. If your security people are really on top of their game, they will be providing you with a security architecture which fulfils the enterprise architecture requirements and which centralises IAM management. This is really the only truly secure solution which guarantees access is removed from all system in a timely manner, enables effective logging and auditing of access, ensures consistent application of security policy and allows consistent response to security incidents and events. While requiring additional resources to establish, it does tend to result in reduced maintenance costs in the longer term. -- Tim Cross
