Re: Pasword expiration warning - Mailing list pgsql-hackers
| From | Gilles Darold |
|---|---|
| Subject | Re: Pasword expiration warning |
| Date | |
| Msg-id | a59f9307-369d-4e4d-b798-512b054ba968@darold.net Whole thread Raw |
| In response to | Re: Pasword expiration warning (Zsolt Parragi <zsolt.parragi@percona.com>) |
| Responses |
Re: Pasword expiration warning
|
| List | pgsql-hackers |
Le 28/01/2026 à 20:25, Zsolt Parragi a écrit :
> Hello!
>
> A first question: have you looked at the GoAway patch[1]? While that
> isn't exactly about the same situation, it was already considered for
> password expiration checks in[2], and the same idea could be useful
> for this situation too, especially in the context of my last question
> in this email.
I don't know about this thread before you mention it. With a quick read
of the thread it looks that this GoAway protocol addition is use to ask
to the client to disconnect/reconnect. Here we just want to emit a
warning at connection to inform the user that his password will expire
and it don't need re-connection at all. Anyway I will have a deeper
look in this thread.
> + /*
> + * Message to send to the client in case of connection success.
> + * When not NULL a WARNING message is sent to the client at end
> + * of the connection in src/backend/utils/init/postinit.c at
> + * enf of InitPostgres(). For example, it is use to show the
> + * password expiration warning.
> + */
> + const char *warning_message;
>
> Handling of this new variable is missing from
> EstimateClientConnectionInfoSpace and SerializeClientConnectionInfo,
> which the struct explicitly asks for a few lines above this change.
> Even if you think that's not necessary for some reason, it should be
> explained to avoid confusing readers.
This is intentional because this message is only emitted at the main
connection and don't needed to be in the
MyClientConnectionInfo serialization. I forgot to add a comment, I will do.
> + * Password OK, but check if rolvaliduntil is less than GUC
> + * password_expire_warning days to send a warning to the client
> + */
> + if (!isnull && password_expire_warning > 0 && vuntil < PG_INT64_MAX)
>
> Could this use TIMESTAMP_NOT_FINITE?
Thanks, it will be fixed too.
> And I think that "days" should be "seconds".
>
> + TimestampTz result = (vuntil - now) / USECS_PER_SEC; /* in seconds */
>
> Maybe call this variable something more descriptive, like
> seconds_until_expiration?
>
> +
> + if (result <= (TimestampTz) password_expire_warning)
> + {
> + MyClientConnectionInfo.warning_message =
> + psprintf(_("your password will expire in %d day(s)"),
> + (int) (result / SECS_PER_DAY));
> + }
>
> This is not that useful on the last day - have you considered
> displaying hours if the expiration date is within a day, or maybe
> HH:MM?
When you see that the password is about to expire in 0 day, do you
really think that saying it will expire in 12h30m42s will encourage the
user to change it now? If he don't do that in the previous days he will
probably not do it in the hour too. Quite useless IMO but if there more
vote to have HH:MM why not.
--
Gilles Darold
http://hexacluster.ai/
pgsql-hackers by date: