Re: password_rollover_time like Oracle
| От | Bruce Momjian |
|---|---|
| Тема | Re: password_rollover_time like Oracle |
| Дата | |
| Msg-id | ZnTphvVUrhiWipFp@momjian.us обсуждение исходный текст |
| Ответ на | Re: password_rollover_time like Oracle (Rui DeSousa <rui.desousa@icloud.com>) |
| Ответы |
Re: password_rollover_time like Oracle
|
| Список | pgsql-admin |
On Thu, Jun 20, 2024 at 08:53:02PM -0400, Rui DeSousa wrote: > It can be achieved by using roles and rolling accounts. Then the application > would need to update username/password before it expires to the new account/ > password. The only difference is rather than changing just the password the > account information also changes; however, no permissions are ever given > directly to the user account. I’ve been in an environments that have use this > approach — Just remember to create the new user and update the username/ > password before they expire. > > i.e. > > approle (A role with no login and all the application permissions) > > create user appuser202406 with inherit in role approle valid until '07/01/2024' > encrypted password 'xxxx’; > create user appuser202407 with inherit in role approle valid until '08/01/2024' > encrypted password ‘yyyy'; I can see that causing problems if you want to store CURRENT_USER in the database, perhaps for auditing. I guess you could call it user4_login12 and keep incrementing the login number, but that seems cumbersome. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Only you can decide what is important to you.
В списке pgsql-admin по дате отправления: