VMware Tanzu Greenplum

  • 1.  Greenplum 7.3.0 -> VALID UNTIL 'timestamp' is not working.

    Posted Aug 13, 2025 12:35 PM

    I have the newest Greenplum Database version -> the 7.3.0.

    I noted that the VALID UNTIL 'timestamp' is not working correctly. I mean if I create user via CREATE USER test_user WITH PASSWORD 'Password123!' VALID UNTIL 'Jul 31 15:30:00 2025 +0' then I can see the correct row in the select rolname, rolvaliduntil from pg_authid where rolname = 'test_user' It means I can connect with this user to the database. The issue is, when the valid until timestamp comes… the new logins are not blocked.


    Link to the documentation: https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-greenplum/7/greenplum-database/ref_guide-sql_commands-ALTER_ROLE.html



    -------------------------------------------


  • 2.  RE: Greenplum 7.3.0 -> VALID UNTIL 'timestamp' is not working.

    Broadcom Employee
    Posted Aug 13, 2025 03:51 PM

    Thanks for reporting the issue. We will look into this.

    -------------------------------------------



  • 3.  RE: Greenplum 7.3.0 -> VALID UNTIL 'timestamp' is not working.

    Broadcom Employee
    Posted Aug 19, 2025 12:23 PM
    Edited by Sunil Seetharama Aug 19, 2025 12:26 PM

    >  It means I can connect with this user to the database. The issue is, when the valid until timestamp comes… the new logins are not blocked.

    What is the `authentication method` used in the pg_hba.conf for this `test_user` ?

    Note , if the authentication method is `trust` even though the password expires the login is not blocked but if it is a `password`(or any other type which verifies password) then it will throw error like below

    FATAL:  password authentication failed for user "test_user"


    If we check the server log it will show  below log snippet

    "FATAL","28P01","password authentication failed for user ""test_user""","User ""test_user"" has an expired password.


    The VALID UNTIL clause applies only to the current password and is enforced only if the authentication method uses it. Once the validity period expires, authentication will fail with an error.

    Also, please double-check that the timezone used when creating the role matches the system's configured timezone.


    Please share the authentication method you've configured in your pg_hba.conf file so we can assist you more effectively.

    For more information on supported authentication type please check the reference guide.


    -------------------------------------------



  • 4.  RE: Greenplum 7.3.0 -> VALID UNTIL 'timestamp' is not working.

    Posted Aug 29, 2025 09:16 AM

    VALID UNTIL in Greenplum 7.3.0 only works with password-based authentication. If your pg_hba.conf uses trust (or another non-password method), the expiry won't be enforced. Switch to md5 or scram-sha-256 in pg_hba.conf for the user, then reload-logins will be blocked after the set timestamp.

    -------------------------------------------