Re: Periodic authorization expiration checks using GoAway message

On Wed, Dec 10, 2025 at 10:20:46PM +0100, Jelte Fennema-Nio wrote:
> On Wed, 10 Dec 2025 at 21:02, Jacob Champion
> <jacob.champion@enterprisedb.com> wrote:
> >
> > (To call it out explicitly: I work with Ajit, and I asked him to take
> > a look at GoAway, and I'm particularly interested in the
> > "reauthenticate or else" case. Let me know if any of that is
> > problematic -- or if anyone's worried that it will become so -- so I
> > can course-correct sooner rather than later.)
> 
> I think password rollover without downtime requires more thought than
> discussed in this thread so far. Currently the simplest way (that I
> know of) to rollover passwords without downtime is to have two users
> that you can switch between, and one has been configured with:
> ALTER USER b SET ROLE = a;
> 
> So both effectively log in as a.

I have often thought we should allow two passwords for each user for
such password rotation purposes.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  Do not let urgent matters crowd out time for investment in the future.