Thread: How to set an expiration date for a WHOLE user account
Hi, I'm wonder how I can disable a user (without droping of course). Is there a way to set an expiration date to prevent logins after that date? I know the VALID UNTIL clause of CREATE USER command, but it is about the password only. I think something similar but regarding the whole user account. Thanks, -- Csaba Együd -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.9 - Release Date: 2005.06.11. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.9 - Release Date: 2005.06.11.
"Egy�d Csaba" <csegyud@vnet.hu> writes > > I'm wonder how I can disable a user (without droping of course). Is there a > way to set an expiration date to prevent logins after that date? > > I know the VALID UNTIL clause of CREATE USER command, but it is about the > password only. > I think something similar but regarding the whole user account. > It is not about password only. Once current date is beyond the valid date you set, the user can never get authorized ok anymore. Regards, Qingqing
"Qingqing Zhou" <zhouqq@cs.toronto.edu> writes:
> "Egy�d Csaba" <csegyud@vnet.hu> writes
>> I know the VALID UNTIL clause of CREATE USER command, but it is about the
>> password only.
>> I think something similar but regarding the whole user account.
> It is not about password only. Once current date is beyond the valid date
> you set, the user can never get authorized ok anymore.
He's right, you're not: that check is only applied in the
password-based authorization path.
This has always seemed a bit bogus to me too --- would not object to
a well-thought-out patch to change it.
regards, tom lane
Hi. Concerning Együd's question, I also wanted to ask about setting expiration date for database. But, I would like to set validity in sense of certain actions. For example, I would like to prevent adding new records after expiration, but would allow viewing existing records.... Is there any way to acomplish that? Greetings, Zlatko ----- Original Message ----- From: "Tom Lane" <tgl@sss.pgh.pa.us> To: "Qingqing Zhou" <zhouqq@cs.toronto.edu> Cc: <pgsql-general@postgresql.org> Sent: Wednesday, June 15, 2005 7:08 AM Subject: Re: [GENERAL] How to set an expiration date for a WHOLE user account > "Qingqing Zhou" <zhouqq@cs.toronto.edu> writes: >> "Együd Csaba" <csegyud@vnet.hu> writes >>> I know the VALID UNTIL clause of CREATE USER command, but it is about >>> the >>> password only. >>> I think something similar but regarding the whole user account. > >> It is not about password only. Once current date is beyond the valid date >> you set, the user can never get authorized ok anymore. > > He's right, you're not: that check is only applied in the > password-based authorization path. > > This has always seemed a bit bogus to me too --- would not object to > a well-thought-out patch to change it. > > regards, tom lane > > ---------------------------(end of broadcast)--------------------------- > TIP 9: the planner will ignore your desire to choose an index scan if your > joining column's datatypes do not match
On Wed, Jun 15, 2005 at 13:34:39 +0200, Zlatko Mati? <zlatko.matic1@sb.t-com.hr> wrote: > Hi. > Concerning Együd's question, I also wanted to ask about setting expiration > date for database. But, I would like to set validity in sense of certain > actions. > For example, I would like to prevent adding new records after expiration, > but would allow viewing existing records.... > Is there any way to acomplish that? Possibly you could do what you want by using AFTER triggers on all of the tables. This will only be practical if the users with update access do not own the tables.
"Tom Lane" <tgl@sss.pgh.pa.us> writes: > > He's right, you're not: that check is only applied in the > password-based authorization path. > > This has always seemed a bit bogus to me too --- would not object to > a well-thought-out patch to change it. > If we add a "VALID UNTIL" column in pg_hba.conf, then will work for all authorization path? Regards, Qingqing