Reset password expiration date to NULL in PostgreSQL
-
07-01-2021 - |
Question
We are cleaning out/standardising DB user/application accounts on the system that has a mix of accounts that were created using different commands at different times by different individuals.
We have a situation where for some of the accounts, the password expiration date attribute has been explicitly set to infinity and for some, it has not as per:
postgres=# \du+ List of roles
Role name | Attributes | Member of | Description
------------------+------------------------------------------------------------+-----------+-----------------------------------------------------------------------------------------
user_1 | | {} |
user_2 | | {} |
user_3 | Password valid until infinity | {} |
user_4 | Password valid until infinity | {} |
so that:
postgres=# SELECT * FROM pg_shadow;
usename | usesysid | usecreatedb | usesuper | userepl | usebypassrls | passwd | valuntil | useconfig
---------------+----------+-------------+----------+---------+--------------+-------------------------------------+----------+-----------
user_1 | 12345 | f | f | f | f | md5_foo | |
user_2 | 12346 | f | f | f | f | md5_foo | |
user_3 | 12347 | f | f | f | f | md5_bar | infinity |
user_4 | 12348 | f | f | f | f | md5_bar | infinity |
(4 rows)
and:
postgres=# SELECT * FROM pg_roles;
rolname | rolsuper | rolinherit | rolcreaterole | rolcreatedb | rolcanlogin | rolreplication | rolconnlimit | rolpassword | rolvaliduntil | rolbypassrls | rolconfig | oid
---------------+----------+------------+---------------+-------------+-------------+----------------+--------------+-------------+---------------+--------------+-----------+-------
user_1 | f | f | f | f | t | f | -1 | ******** | | f | | 12345
user_1 | f | f | f | f | t | f | -1 | ******** | | f | | 12346
user_1 | f | f | f | f | t | f | -1 | ******** | infinity | f | | 12347
user_1 | f | f | f | f | t | f | -1 | ******** | infinity | f | | 12348
(4 rows)
E.g.: user_1
and user_2
were created with:
CREATE USER user_1/2 WITH ENCRYPTED PASSWORD 'foo';
whereas user_3
and user_4
were created with:
CREATE USER user_3/4 WITH ENCRYPTED PASSWORD 'bar' VALID UNTIL 'infinity';
We want to reset the VALID UNTIL
attribute so that:
postgres=# \du+ List of roles
Role name | Attributes | Member of | Description
------------------+------------------------------------------------------------+-----------+-----------------------------------------------------------------------------------------
user_1 | | {} |
user_2 | | {} |
user_3 | | {} |
user_4 | | {} |
We have tried, unsuccessfully:
ALTER ROLE user_1/2 WITH VALID UNTIL NULL;
ALTER ROLE user_1/2 WITH VALID UNTIL '';
ALTER ROLE user_1/2 WITH VALID UNTIL DEFAULT;
So the question is, is it possible to reset the password expiration date role attribute to NULL
/DEFAULT
, preferably without having to recreate the role?
Solution
We have been able to reset the password expiration date to NULL
with:
UPDATE pg_authid
SET rolvaliduntil = NULL
WHERE rolname IN (
SELECT rolname
FROM pg_authid
WHERE rolvaliduntil IS NOT NULL
);
That cleared the Attributes
column for user_1/2
.