Thread: How to set an expiration date for a WHOLE user account

How to set an expiration date for a WHOLE user account

From
Együd Csaba
Date:
Hi,
I'm wonder how I can disable a user (without droping of course). Is there a
way to set an expiration date to prevent logins after that date?

I know the VALID UNTIL clause of CREATE USER command, but it is about the
password only.
I think something similar but regarding the whole user account.


Thanks,
-- Csaba Együd

--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.9 - Release Date: 2005.06.11.




--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.9 - Release Date: 2005.06.11.


Re: How to set an expiration date for a WHOLE user account

From
"Qingqing Zhou"
Date:
"Egy�d Csaba" <csegyud@vnet.hu> writes
>
> I'm wonder how I can disable a user (without droping of course). Is there
a
> way to set an expiration date to prevent logins after that date?
>
> I know the VALID UNTIL clause of CREATE USER command, but it is about the
> password only.
> I think something similar but regarding the whole user account.
>

It is not about password only. Once current date is beyond the valid date
you set, the user can never get authorized ok anymore.

Regards,
Qingqing



Re: How to set an expiration date for a WHOLE user account

From
Tom Lane
Date:
"Qingqing Zhou" <zhouqq@cs.toronto.edu> writes:
> "Egy�d Csaba" <csegyud@vnet.hu> writes
>> I know the VALID UNTIL clause of CREATE USER command, but it is about the
>> password only.
>> I think something similar but regarding the whole user account.

> It is not about password only. Once current date is beyond the valid date
> you set, the user can never get authorized ok anymore.

He's right, you're not: that check is only applied in the
password-based authorization path.

This has always seemed a bit bogus to me too --- would not object to
a well-thought-out patch to change it.

            regards, tom lane

Re: How to set an expiration date for a WHOLE user account

From
Zlatko Matić
Date:
Hi.
Concerning Együd's question, I also wanted to ask about setting expiration
date for database. But, I would like to set validity in sense of certain
actions.
For example, I would like to prevent adding new records after expiration,
but would allow viewing existing records....
Is there any way to acomplish that?
Greetings,
Zlatko

----- Original Message -----
From: "Tom Lane" <tgl@sss.pgh.pa.us>
To: "Qingqing Zhou" <zhouqq@cs.toronto.edu>
Cc: <pgsql-general@postgresql.org>
Sent: Wednesday, June 15, 2005 7:08 AM
Subject: Re: [GENERAL] How to set an expiration date for a WHOLE user
account


> "Qingqing Zhou" <zhouqq@cs.toronto.edu> writes:
>> "Együd Csaba" <csegyud@vnet.hu> writes
>>> I know the VALID UNTIL clause of CREATE USER command, but it is about
>>> the
>>> password only.
>>> I think something similar but regarding the whole user account.
>
>> It is not about password only. Once current date is beyond the valid date
>> you set, the user can never get authorized ok anymore.
>
> He's right, you're not: that check is only applied in the
> password-based authorization path.
>
> This has always seemed a bit bogus to me too --- would not object to
> a well-thought-out patch to change it.
>
> regards, tom lane
>
> ---------------------------(end of broadcast)---------------------------
> TIP 9: the planner will ignore your desire to choose an index scan if your
>      joining column's datatypes do not match


Re: How to set an expiration date for a WHOLE user account

From
Bruno Wolff III
Date:
On Wed, Jun 15, 2005 at 13:34:39 +0200,
  Zlatko Mati? <zlatko.matic1@sb.t-com.hr> wrote:
> Hi.
> Concerning Együd's question, I also wanted to ask about setting expiration
> date for database. But, I would like to set validity in sense of certain
> actions.
> For example, I would like to prevent adding new records after expiration,
> but would allow viewing existing records....
> Is there any way to acomplish that?

Possibly you could do what you want by using AFTER triggers on all of the
tables. This will only be practical if the users with update access do
not own the tables.

Re: How to set an expiration date for a WHOLE user account

From
"Qingqing Zhou"
Date:
"Tom Lane" <tgl@sss.pgh.pa.us> writes:
>
> He's right, you're not: that check is only applied in the
> password-based authorization path.
>
> This has always seemed a bit bogus to me too --- would not object to
> a well-thought-out patch to change it.
>

If we add a "VALID UNTIL" column in pg_hba.conf, then will work for all
authorization path?

Regards,
Qingqing