Re: [PoC/RFC] Multiple passwords, interval expirations - Mailing list pgsql-hackers
From | vignesh C |
---|---|
Subject | Re: [PoC/RFC] Multiple passwords, interval expirations |
Date | |
Msg-id | CALDaNm2=4afz6Tqgi6c+FL1h5Fofh34c4bHEEAUap84KSu3hJQ@mail.gmail.com Whole thread Raw |
In response to | Re: [PoC/RFC] Multiple passwords, interval expirations (Gurjeet Singh <gurjeet@singh.im>) |
Responses |
Re: [PoC/RFC] Multiple passwords, interval expirations
|
List | pgsql-hackers |
On Tue, 10 Oct 2023 at 16:37, Gurjeet Singh <gurjeet@singh.im> wrote: > > > On Mon, Oct 9, 2023 at 2:31 AM Gurjeet Singh <gurjeet@singh.im> wrote: > > > > > > Next steps: > > > - Break the patch into a series of smaller patches. > > > - Add TAP tests (test the ability to actually login with these passwords) > > > - Add/update documentation > > > - Add more regression tests > > Please see attached the v4 of the patchset that introduces the notion > of named passwords slots, namely 'first' and 'second' passwords, and > allows users to address each of these passwords separately for the > purposes of adding, dropping, or assigning expiration times. > > Apart from the changes described by each patch's commit title, one > significant change since v3 is that now (included in v4-0002...patch) > it is not allowed for a role to have a mix of a types of passwords. > When adding a password, the patch ensures that the password being > added uses the same hashing algorithm (md5 or scram-sha-256) as the > existing password, if any. Having all passwords of the same type > helps the server pick the corresponding authentication method during > connection attempt. > > The v3 patch also had a few bugs that were exposed by cfbot's > automatic run. All those bugs have now been fixed, and the latest run > on the v4 branch [1] on my private Git repo shows a clean run [1]. > > The list of patches, and their commit titles are as follows: > > > v4-0001-...patch Add new columns to pg_authid > > v4-0002-...patch Update password verification infrastructure to handle two passwords > > v4-0003-...patch Added SQL support for ALTER ROLE to manage two passwords > > v4-0004-...patch Updated pg_dumpall to support exporting a role's second password > > v4-0005-...patch Update system views pg_roles and pg_shadow > > v4-0006-...patch Updated pg_authid catalog documentation > > v4-0007-...patch Updated psql's describe-roles meta-command > > v4-0008-...patch Added documentation for ALTER ROLE command > > v4-0009-...patch Added TAP tests to prove that a role can use two passwords to login > > v4-0010-...patch pgindent run > > v4-0011-...patch Run pgperltidy on files changed by this patchset > > Running pgperltidy updated many perl files unrelated to this patch, so > in the last patch I chose to include only the one perl file that is > affected by this patchset. CFBot shows that the patch does not apply anymore as in [1]: === Applying patches on top of PostgreSQL commit ID 4d969b2f85e1fd00e860366f101fd3e3160aab41 === === applying patch ./v4-0002-Update-password-verification-infrastructure-to-ha.patch ... patching file src/backend/libpq/auth.c Hunk #4 FAILED at 828. Hunk #5 succeeded at 886 (offset -2 lines). Hunk #6 succeeded at 907 (offset -2 lines). 1 out of 6 hunks FAILED -- saving rejects to file src/backend/libpq/auth.c.rej Please post an updated version for the same. [1] - http://cfbot.cputube.org/patch_46_4432.log Regards, Vignesh
pgsql-hackers by date: