Re: Periodic authorization expiration checks using GoAway message

On Wed, Dec 10, 2025 at 10:20:46PM +0100, Jelte Fennema-Nio wrote:
> On Wed, 10 Dec 2025 at 21:02, Jacob Champion
> <jacob(dot)champion(at)enterprisedb(dot)com> wrote:
> >
> > (To call it out explicitly: I work with Ajit, and I asked him to take
> > a look at GoAway, and I'm particularly interested in the
> > "reauthenticate or else" case. Let me know if any of that is
> > problematic -- or if anyone's worried that it will become so -- so I
> > can course-correct sooner rather than later.)
>
> I think password rollover without downtime requires more thought than
> discussed in this thread so far. Currently the simplest way (that I
> know of) to rollover passwords without downtime is to have two users
> that you can switch between, and one has been configured with:
> ALTER USER b SET ROLE = a;
>
> So both effectively log in as a.

I have often thought we should allow two passwords for each user for
such password rotation purposes.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

Do not let urgent matters crowd out time for investment in the future.