Re: Valid until

[Adrian Klaver <adrian.klaver@xxxxxxxxxxx>]

On 5/18/24 03:09, Rama Krishnan wrote:
Reply to list also.
Ccing list
> Hi Adrian,
>
> I have modified the pg_hba entry from trust to md5 like below
>
> ```
> local   all             all                                     md5

That would be the issue. trust ignores the password check.

> ```
>
>
> When i have tired with postgres user I am able to connect

Which is expected as postgres does not have a 'valid until' restriction.

> [postgres@postgres16 data]$ psql -U postgres -d postgres
> Password for user postgres:
> psql (16.2)
> Type "help" for help.
>
>
>
> postgres=# \du
>                                List of roles
>   Role name  |                         Attributes
> ------------+------------------------------------------------------------
>   pgbackrest | Replication
>   postgres   | Superuser, Create role, Create DB, Replication, Bypass RLS
>   test       | Password valid until 2023-05-13 00:00:00+00
>   user_name  | Password valid until 2024-05-13 00:00:00+00
>
>
>
> But when i tried with test or user_name user  even though I am passing 
> the correct value I am getting this error

Again as expected as the 'valid until' timestamp is in the past.

> ```
> [postgres@postgres16 data]$ psql -U test -d postgres
> Password for user test:
> psql: error: connection to server on socket 
> "/run/postgresql/.s.PGSQL.5432" failed: FATAL:  password authentication 
> failed for user "test"
>
> postgres=# \c  postgres user_name
> Password for user user_name:
> connection to server on socket "/run/postgresql/.s.PGSQL.5432" failed: 
> FATAL:  password authentication failed for user "user_name"
>
> ```
>
> Once i done the changes the valid until expiration date
>
> ```
>
> postgres=# alter user test VALID UNTIL '2024-05-19';
> ALTER ROLE
>
> postgres=> \du
>                                List of roles
>   Role name  |                         Attributes
> ------------+------------------------------------------------------------
>   pgbackrest | Replication
>   postgres   | Superuser, Create role, Create DB, Replication, Bypass RLS
>   test       | Password valid until 2024-05-19 00:00:00+00
>   user_name  | Password valid until 2024-05-13 00:00:00+00
> ```
>
> Finally it allows to connect test

Which is correct as the 'valid until' timestamp is in the future.

> ```
>
> [postgres@postgres16 data]$ psql -d postgres -U test
> Password for user test:
> psql (16.2)
>
> ```
>
> I believe this is a expected output of validunitl , Please correct me if 
> i m wrong

The behavior is as referenced in the documentation:

https://www.postgresql.org/docs/current/sql-createrole.html

VALID UNTIL 'timestamp'

    The VALID UNTIL clause sets a date and time after which the role's 
password is no longer valid. If this clause is omitted the password will 
be valid for all time.


> Regards
>
> A.Rama Krishnan


--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx