Am 25.06.2025 um 01:20 schrieb Greg Sabino Mullane:
> On Mon, Jun 23, 2025 at 2:45 PM raphi <raphi@crashdump.ch> wrote:
>
> As of now though we cannot use PG for any PCI/DSS certified
> application
> because we can't enforce either complexity nor regular password
> changes,
>
>
> You can, and many, many companies do, but you need a modern auth
> system like Kerberos. Even if we were to put something into Postgres
> today (and given the MFA and re-use requirements, it's near
> impossible), PCI DSS keeps evolving and getting stricter, so keeping
> up with it would get harder with each release.
>
> Can I do something to help bringing these feature into PG? My C
> knowledge is very limited so I won't be able to provide a patch
> but I'd be more than happy to test it.
>
>
> Your energy would be much better used in bringing Kerberos into your
> organization. :)
>
Well as said, we have LDAP and IAM widely in use for everything except
database access. It's the IAM part that's making it difficult for us to
implement it for PG application/user roles, this wouldn't change by
using Kerberos instead of LDAP. I thought we'll get the exception from
our security to use IAM roles instead of physical persons defined as the
owner of the PG accounts but now they are against it. Main reason is
because they are looking into a completely different solution with
Vault, which would fix some other issues and make it more robust towards
PCI, and they prefer a solution for everything rather than making
another exception. But we are speaking about years here, 2027 earliest
and they haven't even talked to us yet how this would work with PG, only
other DB products.
have fun,
raphi
