VMware Tanzu Greenplum

I have the newest Greenplum Database version -> the 7.3.0.

I noted that the VALID UNTIL 'timestamp' is not working correctly. I mean if I create user via CREATE USER test_user WITH PASSWORD 'Password123!' VALID UNTIL 'Jul 31 15:30:00 2025 +0' then I can see the correct row in the select rolname, rolvaliduntil from pg_authid where rolname = 'test_user' It means I can connect with this user to the database. The issue is, when the valid until timestamp comes… the new logins are not blocked.

Link to the documentation: https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-greenplum/7/greenplum-database/ref_guide-sql_commands-ALTER_ROLE.html

Thanks for reporting the issue. We will look into this.

>  It means I can connect with this user to the database. The issue is, when the valid until timestamp comes… the new logins are not blocked.

What is the `authentication method` used in the pg_hba.conf for this `test_user` ?

Note , if the authentication method is `trust` even though the password expires the login is not blocked but if it is a `password`(or any other type which verifies password) then it will throw error like below

FATAL:  password authentication failed for user "test_user"


If we check the server log it will show  below log snippet

"FATAL","28P01","password authentication failed for user ""test_user""","User ""test_user"" has an expired password.


The VALID UNTIL clause applies only to the current password and is enforced only if the authentication method uses it. Once the validity period expires, authentication will fail with an error.

Also, please double-check that the timezone used when creating the role matches the system's configured timezone.

Please share the authentication method you've configured in your pg_hba.conf file so we can assist you more effectively.

For more information on supported authentication type please check the reference guide.

-------------------------------------------

VALID UNTIL in Greenplum 7.3.0 only works with password-based authentication. If your pg_hba.conf uses trust (or another non-password method), the expiry won't be enforced. Switch to md5 or scram-sha-256 in pg_hba.conf for the user, then reload-logins will be blocked after the set timestamp.